Squash and Merge Pull Request Signing Commit with Local GPG Key

[paulohenriqu]

Describe the feature or problem you’d like to solve

Currently, when someone merges a Pull Request using the Github UI and the "Squash and Merge" option, the commit is signed with the Github GPG key and the PR status changed to merged automatically.

Would it be possible to sign the squash commit using the user GPG key?

Proposed solution

It seems to me that Github uses its own GPG key because it wouldn't be a viable solution for the users to upload their private keys to Github, but as Github CLI runs locally it would be possible to use the collaborator key to sign the squashed commit, increasing the overall confidence that the code wasn't tampered with.

Additional context

Add any other context like screenshots or mockups are helpful, if applicable.

[mislav]

but as Github CLI runs locally it would be possible to use the collaborator key to sign the squashed commit, increasing the overall confidence that the code wasn't tampered with.

Right now, our ability to Squash and Merge pull requests is limited by the functionality that the API provides. User GPG keys are not supported by the API for the Squash and Merge operation, so we can't really support that through CLI either.

However, if the user who intends to do a squash & merge operation with their own GPG key is already in the context of the git repository, it's always an option for them to perform the merge manually:

gh pr checkout 123
git checkout main
git merge --squash --gpg-sign -
git push origin main
gh pr close 123

Do you think this is an acceptable workaround?

[vilmibm]

Closing this as it's gotten a bit stale but we can reopen for discussion if needed.

[L-as]

This feature would be nice. Are there any plans to add it?

[mmitche]

This feature would be nice. Are there any plans to add it?

Agreed. Would love to see this, especially with yubikey support

[Diaoul]

I think it should be configurable to either use the GH API for such operation or the local way. However this means gh makes changes to the local repo, which it doesn't currently do.
Not sure what the best way to solve this is but current state of commit signing with squash or rebase is not ideal.

[L-as]

gh doesn't have to change the visible state of the local repository, since Git is content-addressed.

[perezd]

I would also like this to happen.

[booi]

I'd love to see this happen as well. While GPG signing of individual commits is great, we actually need this more when merged into the parent branch since (generally) squash commits are more common and would preserve the traceability of code changes.

Could we reopen this ticket?

[mislav]

@booi No, sorry; our current recommendation for anyone who wants to use their own local GPG key to sign things is to create all git objects locally (including merge commits) instead of having GitHub create them. I realize that this isn't ideal for all use-cases; for example, if you squash-merge a PR locally and push that to main, the original PR will not get marked as "merged".

[bkurtz]

One important case where the "squash-merge and sign locally, then push to main" doesn't work is if there's a branch-protection rule on main, e.g. one that requires CI to pass on a PR before merging.

[booi]

@bkurtz Maybe I'm not understanding but wouldn't Github be able to verify that it passes? i.e. take the commit that you want to merge and verify that it ran through CI before allowing the merge?