top | item 37571883

(no title)

njaremko | 2 years ago

I've been using this for a few months now, and it's been an absolute joy to use.

One thing that's been a bit annoying: my org enforces signed commits, and when you merge a stack, they sometimes rebase commits internally and lose the code signing, so you end up with an error to merge the rest of the stack.

Aside from that, working with stacks has been great!

discuss

Xiulung|2 years ago

Hey @njaremko,

Thank you for using Graphite and your support. This is something we're aware of and current thinking around.

Question, if we were to support this by signing commits: Would you want the commit to be signed by the Graphite GitHub App? Or would you prefer for it to be signed by Graphite on behalf of you? Or some other option that we haven't considered?

-Xiulung (UX @ Graphite)

njaremko|2 years ago

I think letting me give you a gpg private key and you sign commits with that would be ideal. I'm not sure how the app signing commits would work, since it needs to be signed by a member of our org I believe?

joshka|2 years ago

Signed locally using your GPG key is the correct answer to this (IMO), otherwise you're replacing a one attestation with a much weaker one.