Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jarrodldavis/probot-gpg

A GitHub App that enforces GPG signatures on pull requests (no longer maintained)
https://github.com/jarrodldavis/probot-gpg

git-signing github-api github-app github-integration github-workflow gpg gpg-key gpg-signature probot probot-app probot-plugin pull-requests signing-commits

Last synced: 2 days ago
JSON representation

A GitHub App that enforces GPG signatures on pull requests (no longer maintained)

Host: GitHub
URL: https://github.com/jarrodldavis/probot-gpg
Owner: jarrodldavis
License: mit
Archived: true
Created: 2017-05-15T01:42:03.000Z (over 7 years ago)
Default Branch: develop
Last Pushed: 2019-07-19T20:30:41.000Z (over 5 years ago)
Last Synced: 2025-01-15T00:11:54.503Z (6 days ago)
Topics: git-signing, github-api, github-app, github-integration, github-workflow, gpg, gpg-key, gpg-signature, probot, probot-app, probot-plugin, pull-requests, signing-commits
Language: JavaScript
Homepage: https://github.com/apps/gpg
Size: 690 KB
Stars: 14
Watchers: 2
Forks: 10
Open Issues: 10
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

        


  



Probot GPG




  



> A GitHub App built with [Probot](https://github.com/probot/probot) that enforces GPG signatures on pull requests

## Deprecation

**This GitHub App is no longer being kept up-to-date and is considered deprecated. It is recommended to use [GitHub's built-in enforcement](https://help.github.com/en/articles/about-required-commit-signing) of commit signature verification instead.**

## Setup

```

# Install dependencies

npm install

# Run the bot

npm start

```

## Usage

[Configure this app](https://github.com/apps/gpg) on your organizations and repositories. Be sure to enable [required status checks](https://help.github.com/articles/about-required-status-checks/) if you want to enforce GPG signatures on all pull requests.

See [docs/deploy.md](docs/deploy.md) if you would like to run your own instance of this plugin.

## How it works

Git supports [signing commits with GPG keys](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) to verify commit authorship beyond the easy-to-forge [author](https://git-scm.com/docs/git-commit#git-commit---authorltauthorgt) field.

GitHub supports [verifying GPG signatures on commits](https://github.com/blog/2144-gpg-signature-verification) and has an excellent [series of help articles](https://help.github.com/articles/signing-commits-with-gpg/) for creating a GPG key, using it with `git` locally, and linking it to a GitHub account.

After installation, this app [checks all commits](https://developer.github.com/v3/repos/commits/#compare-two-commits) of new (or newly updated) pull requests for valid GPG signatures [according to the GitHub API](https://developer.github.com/changes/2016-04-04-git-signing-api-preview/). Note that for the status check to be `success`, _every_ contributor of a pull request must:

- set up a GPG key on their local machine

- sign _all_ of their commits in the pull request with that key

- link that key with their GitHub account

![GPG status check success screenshot](docs/screenshot-success.png "GPG status check success screenshot")

Otherwise, the app will set the status to `failure`.

![GPG status check failed screenshot](docs/screenshot-failure.png "GPG status check failed screenshot")

## Email privacy

If you or any of your contributors use a [GitHub-provided `noreply` email address](https://help.github.com/articles/about-commit-email-addresses/) to keep a personal email address private, that `noreply` address should be used when creating a GPG key. Make sure that [`git`'s config is also using that `noreply` address](https://help.github.com/articles/setting-your-commit-email-address-in-git/) so that GitHub associates the GPG key correctly and validates it.

## Further reading

- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)

- [GitHub Help: Signing commits with GPG](https://help.github.com/articles/signing-commits-with-gpg/)

- [GitHub Help: Troubleshooting GPG](https://help.github.com/articles/troubleshooting-gpg/)

- [GitHub Blog: GPG signature verification](https://github.com/blog/2144-gpg-signature-verification)

- [GitHub Developer: Preview support for Git signing](https://developer.github.com/changes/2016-04-04-git-signing-api-preview/)

- [The GNU Privacy Guard](https://gnupg.org)

- [Setting up Git commit signing on macOS](https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b)

## Special thanks and attributions

- [@JasonEtco](https://github.com/jasonetco) for the lovingly crafted logo

- [@probot](https://github.com/probot) for the Probot head, which was found on [wikimedia.org](https://commons.wikimedia.org/wiki/File:Robot-clip-art-book-covers-feJCV3-clipart.png) and is from clipartkid.com, licensed [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/deed.en)