Only allow signed/verified commits on the main branch

[pentamassiv]

In order for Relm4 to be used by as many people as possible, they need to be able to trust the code base. One part of this is that all commits are signed/verified. Github has a setting to ensure this which should be enabled.

Before this is turned on, the main contributors to this project should set up automatic commit signing. After it is set up, you can forget about it. Here is a tutorial on how to do it: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits I am using KeepassXC to store my keys. Keepass only adds them when I unlock the password database, which is quite nice.

We probably cannot expect a person that just wants to do a one time PR to set it up though. What should be done in these cases?

[AaronErhardt]

I don't know how to proceed with this. I have started using signed commits over the past weeks but many less active contributors don't seem to sign their commits yet...

[pentamassiv]

Maybe it was not a good idea. Apparently you can only sign commits the moment you create them. One option would be to rebase all PRs before commiting them, but then I don't think Github gives credit to the user who created the PR. The git doc states:

Everyone Must Sign Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so. If you don’t, you’ll end up spending a lot of time helping people figure out how to rewrite their commits with signed versions. Make sure you understand GPG and the benefits of signing things before adopting this as part of your standard workflow.

We can probably close this issue.

[AaronErhardt]

I think, we could suggest contributors to sign their commits here: https://github.com/Relm4/Relm4/blob/main/.github/pull_request_template.md

That looks like the best solution to me.

[zefr0x]

I think that just signing releases git tags is enough.