top | item 37572576

(no title)

Xiulung | 2 years ago

Hey @njaremko,

Thank you for using Graphite and your support. This is something we're aware of and current thinking around.

Question, if we were to support this by signing commits: Would you want the commit to be signed by the Graphite GitHub App? Or would you prefer for it to be signed by Graphite on behalf of you? Or some other option that we haven't considered?

-Xiulung (UX @ Graphite)

discuss

njaremko|2 years ago

I think letting me give you a gpg private key and you sign commits with that would be ideal. I'm not sure how the app signing commits would work, since it needs to be signed by a member of our org I believe?

Xiulung|2 years ago

Yep, our app signing the commits would mean requiring your org to approve the app as "someone" who can contribute to the repo

amtamt|2 years ago

then why not let them generate the key itself?

joshka|2 years ago

Signed locally using your GPG key is the correct answer to this (IMO), otherwise you're replacing a one attestation with a much weaker one.