
Ask HN: Do you sign your code at work? - agrinman
Does everyone on your engineering team sign their code?<p>How do you go about verifying signatures and making sure the code signing verifies every time you push&#x2F;pull code?<p>Does your team rely on GitHub&#x27;s server-side verification?
======
brandur
We don't for the most part, but ended up moving to a VPNed GitHub Enterprise
installation over the possibility (albeit unlikely one) that GitHub's main
cloud could be compromised and used to inject malicious code into a repository
that we own.

It doesn't hurt to shore up on security, but given the expense of operating a
GHE installation, the fact that there are some GH niceties that don't work
quite right there, and that even in just a few months of use GHE already has a
poorer availability record than the public GH cloud, broad code signing might
have been a better approach.

We do sign in a few places like for our internal deployment tool that gets
widely distributed to all engineers, and which checks its code signature
before allowing a deploy. It works pretty well, but the fact that GitHub's
"merge pull request" button exists (which will create a merge commit on `HEAD`
without a valid signature) tends to cause a fair bit of inconvenience.

I'd definitely be curious if others have been making this work.

------
jetti
I'm curious as to why one would want to do that. Maybe it's because we host
internally (internal Bitbucket server) that I don't think we would need this
or maybe because we are small and know who is pushing what.

------
adamb_
IntelliJ automatically adds your name to the top of Java classes / etc, so..
kinda?

~~~
thatwebdude
Your sign isn't the same they're talking about. But don't worry, I assumed the
same initially.

