Bagas Sanjaya <bagasdotme@xxxxxxxxx> writes: > On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote: >> Bagas Sanjaya <bagasdotme@xxxxxxxxx> writes: >> >> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n >> > pull request (which I should submit in this cycle). Is it OK to do that? >> > Drawbacks? >> >> Instead of talking first about drawbacks, we should consider the >> upsides. Why would we even want to see your GPG signature, when >> most of us do not even have your GPG public key in our keychains? >> >> What are we trying to achieve by doing this? > > Just to ensure that PR commits are really from the respective authors. Yeah, but my point was that it would not ensure, because practically nobody has ways to validate the signature was created with your private key, and public keyservers have been tainted long time ago with fake keys with the same fingerprint, so would not work as a good way to obtain your public key and be sure it is yours. If this were "because we would want to eat our own dogfood", and if we find bugs in our code when different person sign their commit with their own signature scheme (i.e. you may sign yours with your GPG key, somebody else may use their SSH key, and yet other people use their X.509 certs, it might give us valuable insights, but the resulting history may be irrevocably tainted if the bug is on the signing side (if the bug is on the verification side, that is OK). Thanks.
