Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hey @njaremko,

Thank you for using Graphite and your support. This is something we're aware of and current thinking around.

Question, if we were to support this by signing commits: Would you want the commit to be signed by the Graphite GitHub App? Or would you prefer for it to be signed by Graphite on behalf of you? Or some other option that we haven't considered?

-Xiulung (UX @ Graphite)



I think letting me give you a gpg private key and you sign commits with that would be ideal. I'm not sure how the app signing commits would work, since it needs to be signed by a member of our org I believe?


Yep, our app signing the commits would mean requiring your org to approve the app as "someone" who can contribute to the repo


then why not let them generate the key itself?


So I can revoke the key if I need to (my understanding is that you need the private key for that)


Signed locally using your GPG key is the correct answer to this (IMO), otherwise you're replacing a one attestation with a much weaker one.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: