-
-
Notifications
You must be signed in to change notification settings - Fork 297
Open
@jenstroeger
Description
Description
To increase trust in commits, particularly in the context of current software supply-chain issues, it may be useful to enforce signed commits with various cz commands. To maintain backwards compatibility, this should be an opt-in feature.
For example,
cz bump --changelog --require-signed-commits --yes
would fail if one or more of the commits for the change are unsigned.
Possible Solution
Iterate over the commits of a change set and use git verify-commit <SHA>.
Additional context
Of the current commitizen commands:
commands:
{init,commit,c,ls,example,info,schema,bump,changelog,ch,check,version}
init init commitizen configuration
commit (c) create new commit
ls show available commitizens
example show commit example
info show information about the cz
schema show commit schema
bump bump semantic version based on the git log
changelog (ch) generate changelog (note that it will overwrite existing file)
check validates that a commit message matches the commitizen schema
version get the version of the installed commitizen or the current project (default: installed commitizen)
the proposed, optional command-line switch --require-signed-commits could also be useful to commit, bump, changelog, and check.
Additional context
No response