add-verified-gpg-signature-to-git-settings

[david-thrower]

Kind of issue: Process Change

After viewing a recent security tutorial and other sources, I am seeing that some frameworks require a local GPG signature for commits [1] before a commit can be merged in. We need to add to the CICD SOP or SOP-0001 a requirement that this setting be applied. The setting to create these signatures is easy to apply [2].

[1] https://garantir.io/three-frameworks-software-supply-chain-security/ [2] https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits