signing

signing

关注
发信
如何使用 Autofac 将控制器的 ModelState 传递给我的服务构造函数?
从hibernate获取SQL
在TypeScript中找不到名称jsPdf
保存和加载 jsPlumb 流程图,包括准确的锚点和连接
用PDFBOX写阿拉伯字符
如何制作wordpress简码
加入nHibernate
Eclipse Git插件 - 从repo中删除文件而不删除本地
如何在 *nix 上将 Zend Framework 2 与 MS SQL Server 一起使用?
记录最大日期
在pom.xml中更改了JDK版本,但eclipse仍使用默认值1.5
能给我举个“模式"的例子吗?xsl 中的模板?
NSURLRequest挂在SpringBoard上
创建文件名中非英文字符的文件
CoreDNS后缀重写导致DNS查询返回重写的名称

如何自动验证所有提交者PGP签名他们的提交

扫码查看
本文介绍了如何自动验证所有提交者PGP签名他们的提交的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

然后制作(如果)可以将签名部分限制为将作为贡献合并的提交



有关该过程的更多详细信息:




  • (对于gpg部分)



所以如果你的持续集成构建只合并request-pull(用于),你可以检查这些特定的提交是否已签名(如果它们不是)。
这个脚本就是这样一个检查的例子:。


Github supports signing commits with a PGP key.

We have an open source project, that accepts contributors from people without PGP keys. Security is essential for us, and so we decided that each person who merges pull requests will sign the merges with his PGP key, and so each actual commit will either be directly signed by the author, and/or by the merger.

What is the best way to setup a continous integration build that makes sure this actually happens? We want the build to fail, alarms to go off, and possibly the commit/merge reverted, if anyone commits or merges code into the main repo, without signing it with a PGP key from a given list of authorized keys.

We are using github, so I wonder is github hooks may help. I believe we're using Jenkins for CI, however that probablly doesn't matter as it's going to be a custom script.

To clarify: The project accepts contributions from open source developers, and we won't require each of these to have a PGP key. However, each of the people with merge rights in github must have a PGP key, and the build I propose will verify this. The merge-commits themselves are going to be PGP-signed, even if not every commit is.

解决方案

Update (April 2016)

See "GitHub GPG signature verification":

Original answer (June 2014)

From your edit, you went with option 2 in the paper "A Git Horror Story: Repository Integrity With Signed Commits":

Then making a signed request-pull (which can be always signed if commit.gpgsign is set) can limit the signing part to the commits that will be merged as contribution-commits only (as opposed to any random merge between two branches).

More details on that process on:

So if your continuous integration build only merges request-pull (used in this test script), you can check if those specific commits are signed (and don't merge them if they are not).
This script is an example of such a check: "check-commit-signature".

这篇关于如何自动验证所有提交者PGP签名他们的提交的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-22 17:34
查看更多
Powered by LMLPHP ©2025 signing 0.042428