Hacker News new | past | comments | ask | show | jobs | submit login

I've mostly been able to avoid PGP, but one workflow that I haven't been able to find a decent alternative for it Git commit signing.

Does anyone know good alternatives in this space?

Linus himself has expressed his opinion several times that signing every commit is useless. His posts here explain it a bit: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...

Well yes, signing every commit is useless. He did not however, at any point during that exchange, express the idea that commit signing is a useless activity. And that is what I was referring to.

Currently Git seems to be very much integrated with GnuPG and the same goes for GitHub's UX sprinkles over the signing feature. That is what I'd like a decent alternative to.

I considered using OpenBSD's signify but it does not integrate as nicely as GnuPG signing so I'd basically be rolling my own mechanism (which is fine I guess, but feels subpar)

For the record git signing can also use X.509 certificates but from what I see it's still managed by GnuPG.

Signing every commit can be useless, but signing the releases seems to be important and useful, mainly if the developer releases compiled binaries.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact