How to automatically verify all committers PGP-sign their commit


How to automatically verify all committers PGP-sign their commit

Github supports signing commits with a PGP key.
We have an open source project, that accepts contributors from people without PGP keys. Security is essential for us, and so we decided that each person who merges pull requests will sign the merges with his PGP key, and so each actual commit will either be directly signed by the author, and/or by the merger.
What is the best way to setup a continous integration build that makes sure this actually happens? We want the build to fail, alarms to go off, and possibly the commit/merge reverted, if anyone commits or merges code into the main repo, without signing it with a PGP key from a given list of authorized keys.
We are using github, so I wonder is github hooks may help. I believe we're using Jenkins for CI, however that probablly doesn't matter as it's going to be a custom script.
To clarify: The project accepts contributions from open source developers, and we won't require each of these to have a PGP key. However, each of the people with merge rights in github must have a PGP key, and the build I propose will verify this. The merge-commits themselves are going to be PGP-signed, even if not every commit is.


Solution 1:

Update (April 2016)

See “GitHub GPG signature verification“:

starting today GitHub will show you when commits and tags are signed.

When you view a signed commit or tag, you will see a badge indicating if the signature could be verified using any of the contributor’s GPG keys uploaded to GitHub.
You can upload your GPG keys by visiting the keys settings page.

Original answer (June 2014)

From your edit, you went with option 2 in the paper “A Git Horror Story: Repository Integrity With Signed Commits“:

Option #2 is as simple as passing the -S argument to git merge.
If the merge is a fast-forward (that is, all commits can simply be applied atop of HEAD without any need for merging), then you would need to use the --no-ff option to force a merge commit.

Then making a signed request-pull (which can be always signed if commit.gpgsign is set) can limit the signing part to the commits that will be merged as contribution-commits only (as opposed to any random merge between two branches).

More details on that process on:

So if your continuous integration build only merges request-pull (used in this test script), you can check if those specific commits are signed (and don’t merge them if they are not).
This script is an example of such a check: “check-commit-signature“.