Sign outgoing contributions

[ddimtirov]

Considering the Aleyankov vs. Goldman Sachs case, it will be useful if GitProxy provides non-repudiation guarantees for the released contributions.

The proposed solution does not rely on GitProxy being a system of record, and can prove beyond doubt that the contribution has undergone internal review and has been cleared for release according to the company rules (even in case of losing the GitProxy data). It is easy to verify by third party, and the verification part is separable from the contribution in case this is desired.

When GitProxy pushes commits to upstream, it should sign them with instance specific key (GPG or X.509/S-MIME). For patch-based workflow (#61), in addition to the patch file it should email signature file with the instance specific key.

As part of the company OSS engagement, the company is strongly recommended to publicise the public key with which the contributions can be verified. As a minimum, the public key should be accessible from the UI of GitProxy.

Alternatives and considerations:

• For the git-push case, GitProxy would replace any signatures already present on the commits. This is reasonable, as these are likely to be internal to the company. If desired, once pushed outside the company perimeter, the commits can be re-signed by the contributor. A way to avoid that is instead of signing individual commits, Gitlab to push a signed tag marking the HEAD of the contribution.
• As many projects don't appreciate tag pollution, this would have to be a per-project setting.

[grovesy]

Agreed on this - priority wise I need to get out the current 'mega PR' pending, then this would be a great next feature to pick up

Another use case here is when working with internal mirrors - i.e.

• Take the commit's from the internal mirror
• Change the committer info from any internal usernames/emails - to the contributors public account details
• Sign
• Send to the upstream