feat(signature)!: verify commits via GitHub public key lookup#79
Merged
Conversation
Coverage Report (Δ +0.0%)
|
||||||||||||||||||||
benner
force-pushed
the
feat/signature-github-key-lookup
branch
from
6a385eb to
f455da4
Compare
benner
changed the title
benner
force-pushed
the
feat/signature-github-key-lookup
branch
from
f455da4 to
2d845b2
Compare
Eliminates the need for a pre-configured local keyring by fetching the
author's public GPG and SSH keys directly from GitHub at check time.
Lookup flow:
1. Resolve author email → GitHub username via the search API
2. Fetch `github.com/{username}.gpg` and `github.com/{username}.keys`
3. Try GPG verification with a temporary GNUPGHOME
4. Try SSH verification with a temporary allowed_signers file
5. Fail explicitly if the API is unreachable or author not found on GitHub
BREAKING CHANGE: previously, API errors and unknown authors silently fell
back to `git verify-commit`. Both cases now fail with a clear error message.
Disable the `signature` check if GitHub API access is unavailable.
Signed-off-by: Nerijus Bendžiūnas <nerijus.bendziunas@gmail.com>
benner
force-pushed
the
feat/signature-github-key-lookup
branch
from
2d845b2 to
7c533fd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Eliminates the need for a pre-configured local keyring by fetching the
author's public GPG and SSH keys directly from GitHub at check time.
Lookup flow:
github.com/{username}.gpgandgithub.com/{username}.keysBREAKING CHANGE: previously, API errors and unknown authors silently fell
back to
git verify-commit. Both cases now fail with a clear error message.Disable the
signaturecheck if GitHub API access is unavailable.