[Feature request] Hardening the supply chain with Git signed PGP commits
Hello, supply chain attacks are the new trending attacks, with the latest being PHP code and infrastructure itself.
Git supports signing commits with PGP keys and GitHub verifies this signatures before pushing. Signing with PGP means the attackers with access to the source code servers cannot make code changes since they don't have the secret key to generate the signatures. They will have to hack a developers computer.
I'm following this guide: https://docs.github.com/en/github/authenticating-to-github/signing-commits
This is a request for a better GUI for managing singing keys and selecting the identity you are making a commit in PHPStorm (and other IntelliJ software).
As every company and critical software project should be enforcing this right now. Let's make it easier to stop this kind of attacks.
Thanks.
Please sign in to leave a comment.
Hi,
Just in case, here is the related ticket on YouTrack:
https://youtrack.jetbrains.com/issue/IDEA-110261
I have left an internal comment to this forum post to bring some extra attention to it.