Description
This was disabled here: #54
But the community notes mention a tracking issue should be opened for this.
Requiring authorized committers (i.e. minimally maintainers) to sign their commits (and possibly rejecting the merging of unsigned commits in certain branches) considerably improves the audit posture of the project - which is one reason why the CNCF explicitly recommends it.
It is quite easy to set up and enforce in Github as well. It is a one-time step, like CLA/DCO agreement.
It is the simplest and most reliable way to prevent committer impersonation. It is also a prerequisite for several third party repo security posture assesments.
It is also (effectively) a prerequisite for signing release tags, which is also important for audit posture/software supply chain auditing.
It has been mentioned that Kubernetes and Istio do not require commit signatures or validation, but that is by itself a poor reason - those are both very old and very large projects with plenty of local habits and baggage, and what they do (or do not do) is not automatically best practice for net-new projects.
Activity