commitizen
commitizen copied to clipboard
Check commit signatures when using cz
Description
To increase trust in commits, particularly in the context of current software supply-chain issues, it may be useful to enforce signed commits with various cz
commands. To maintain backwards compatibility, this should be an opt-in feature.
For example,
cz bump --changelog --require-signed-commits --yes
would fail if one or more of the commits for the change are unsigned.
Possible Solution
Iterate over the commits of a change set and use git verify-commit <SHA>
.
Additional context
Of the current commitizen commands:
commands:
{init,commit,c,ls,example,info,schema,bump,changelog,ch,check,version}
init init commitizen configuration
commit (c) create new commit
ls show available commitizens
example show commit example
info show information about the cz
schema show commit schema
bump bump semantic version based on the git log
changelog (ch) generate changelog (note that it will overwrite existing file)
check validates that a commit message matches the commitizen schema
version get the version of the installed commitizen or the current project (default: installed commitizen)
the proposed, optional command-line switch --require-signed-commits
could also be useful to commit
, bump
, changelog
, and check
.
Additional context
No response
I'm open to it, the flag should be provided as a setting as well.
In principle signing commits and verifying their signatures later is a great idea. However, like the Signing Your Work section of the git
documentation states:
Everyone Must Sign
Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so.
And also:
This command uses GPG to verify the signature. You need the signer’s public key in your keyring for this to work properly: […]
So, while we could probably add support for this to cz
, the user of this feature would actually need to understand the larger context and requirements for using it. See also the Verifying signed git commits? discussion on Stackoverflow.
I think a section in the tutorials for "Working with signed commits" could help a lot, within the context of commitizen. Like crafted specially around the team requiring this flag --require-signed-commits