SSH certificates and git signing
6 points by Foxboron
6 points by Foxboron
Okay, you sign your commits... Then I take your patches rebase them, maybe I edit one of them a bit, and apply them to my codebase.
The signatures are now invalid and get dropped. What was the point again?
I sign tags. No idea why people sign commits. If you email me patches, sign the emails. If you send me patches via some platform, well I can rely on the platform's authentication to attest to your identity.
After all, there's about the same chance that your credentials were compromised as there is that your private key got compromised (because, let's face it, 90% of people signing commits are not putting their signing key on a HSM or TPM).
The solution to verifying that the code you just got emailed/PRed/posted is legitimate is ... reading it.