commitizen icon indicating copy to clipboard operation
commitizen copied to clipboard

Published 20 hours ago verified publisher icon commitizen-tools

Check commit signatures when using cz

Open jenstroeger opened this issue 1 year ago • 3 comments

Description

To increase trust in commits, particularly in the context of current software supply-chain issues, it may be useful to enforce signed commits with various cz commands. To maintain backwards compatibility, this should be an opt-in feature.

For example,

cz bump --changelog --require-signed-commits --yes

would fail if one or more of the commits for the change are unsigned.

Possible Solution

Iterate over the commits of a change set and use git verify-commit <SHA>.

Additional context

Of the current commitizen commands:

commands:
  {init,commit,c,ls,example,info,schema,bump,changelog,ch,check,version}
    init                init commitizen configuration
    commit (c)          create new commit
    ls                  show available commitizens
    example             show commit example
    info                show information about the cz
    schema              show commit schema
    bump                bump semantic version based on the git log
    changelog (ch)      generate changelog (note that it will overwrite existing file)
    check               validates that a commit message matches the commitizen schema
    version             get the version of the installed commitizen or the current project (default: installed commitizen)

the proposed, optional command-line switch --require-signed-commits could also be useful to commit, bump, changelog, and check.

Additional context

No response

jenstroeger avatar Sep 04 '22 22:09 jenstroeger

I'm open to it, the flag should be provided as a setting as well.

woile avatar Sep 05 '22 06:09 woile

In principle signing commits and verifying their signatures later is a great idea. However, like the Signing Your Work section of the git documentation states:

Everyone Must Sign

Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so.

And also:

This command uses GPG to verify the signature. You need the signer’s public key in your keyring for this to work properly: […]

So, while we could probably add support for this to cz, the user of this feature would actually need to understand the larger context and requirements for using it. See also the Verifying signed git commits? discussion on Stackoverflow.

jenstroeger avatar Sep 22 '22 17:09 jenstroeger

I think a section in the tutorials for "Working with signed commits" could help a lot, within the context of commitizen. Like crafted specially around the team requiring this flag --require-signed-commits

woile avatar Sep 23 '22 06:09 woile