Hi Volkan, On 21.11.2025 12:43, Volkan Yazıcı wrote: > I suggest dropping the requirement of commits to be signed.
+1, I agree we should drop the requirement. The only signatures we can reliably authenticate are those from committers (or at least PMC members), since we know each other and have exchanged keys through separate channels. We may not have gone as far as verifying government-issued IDs in person, but we have a high level of confidence that the GPG keys correspond to the individuals we work with, regardless of their legal names. For external contributors, that assurance doesn’t exist. All we can really say is that a commit was signed by some GPG key, and that the associated email and key happen to be stored in their GitHub account. Furthermore, while we can verify these signatures today, we won’t be able to do so reliably in the future unless we start storing the GitHub GPG keys of each contributor now. A more reliable approach will come from in-toto attestations, which certify that a user with a specific GitHub identity submitted a given commit within a defined time-frame. There are already experimental GitHub Actions that support this, such as `source-tool` [1], and they don’t require GPG keys. Piotr [1] https://github.com/slsa-framework/source-tool
