
Git-signatures – Multiple PGP signatures for your commits - Couto
https://github.com/hashbang/git-signatures
======
drybjed
A similar idea was described in 2015: [https://grimoire.ca/git/detached-
sigs](https://grimoire.ca/git/detached-sigs)

------
Ayesh
Looks like a really cool approach for git-tag based release management in a CI
level.

TIL about git-notes which looks pretty neat.

------
whoisthisfor
Is there anything out there that doesn't need GPG? Having a working GPG
install is a huge lift for developers.

~~~
angry_octet
I take this to mean: apart from the barnacles on GPG, could there be a system
which does what GPG does for software development (signing), without the non-
functioning web-of-trust of GPG, or the hierarchical system of x509 signing?
Something that deals with lost keys, compromised keys/accounts, loss of DNS
control, MitMing, MitBing, etc?

I think it is probably in the class of problems where there are no great
foolproof solutions. However, I can imagine that techniques like certificate
transparency (all signed x509 certificates pushed to a shared log) would be
quite useful. Even blockchain techniques. Maybe send someone to check on me,
I'm feeling unwell having written that.

~~~
whoisthisfor
[https://goo.gl/images/Mww5SR](https://goo.gl/images/Mww5SR)

You read my mind. I'd love if it could be rooted in a Yubikey.

Decoupling the "signing" and "verifying" parts seem like a good idea. As
random Person signs something, how someone else figures out how to go trust
that signature is a separate problem.

~~~
spockz
Afaik, you can install keys for use with gpg[1] on modern yubi keys.

