0

My company uses GitHub for our organization repos and also validates authors by enforcing signed commits.

The problem is that it is possible to clone a repo, create a branch, submit several commits, and create a Pull Request without any signed commits. It isn't until there is an attempt to merge that PR into develop or main or whatever is the branch protected with signed commits where the PR merge fails. At that point, we have to clean it all up with a rebase so that there are no commits without signatures.

Is there a way to enforce the signatures even on the local clone of the repo? Something like a pre-commit hook that ensures the commit fails if there is no signature? Something that, once set up, would look something like this:

> git clone <my-company's-git-repo-with-signatures-required-on-main-branch>
> cd <my-company's-git-repo-with-signatures-required-on-main-branch>
> git switch main # Just to make it clear that I am on the protected branch
> touch my-new-file
> git add my-new-file
> git commit -m "Testing" # And this is for a user that does not have signing set up yet.
Git Error: Cannot commit without signature  # Or whatever the error message would be

This prevents any sort of "roll back" via rebase or whatever other method may be possible.

Mike Williamson
  • 4,915
  • 14
  • 67
  • 104
  • 3
    If your team is fine with a one-time setup for each developer on the project, git-hooks scripts can be put in the repository to share a pre-push / pre-commit hook for that, for example. See [stackoverflow answer](https://stackoverflow.com/a/54281447/10441671), [blog article with this approach](https://www.viget.com/articles/two-ways-to-share-git-hooks-with-your-team/) – Peter Krebs Oct 19 '21 at 14:15

1 Answers1

-1

I think this is not possible to force someone to create a signed commit, or things like that do the force signed commit check.

For this is your company repository, and signed commit is a MUST. U may want to make a rule: anyone who contribute to this repository should do signed commit.

FYI: something u can do is to set a git alias for normal commit to a signed commit.

something like:

s-commit = !sh -c 'git commit -S $*'

even make commit always to a signed commit.. :-)

of cource any contribute should use or obey this rule..

tomy0608
  • 317
  • 1
  • 9
  • Thanks for your input. You are correct that we can ask it to be a rule, and it already is a rule. I just wanted to automate things a little more so that no one can accidentally make a mistake. Regarding the alias, that works fine for me, but not broadly across the company. – Mike Williamson Oct 25 '21 at 08:11