Netlify CMS commits that are signed with a verified signature.

[christopherdufort]

Is your feature request related to a problem? Please describe.
We try to enforce signed commits on our projects to ensure people are who they say they are when they commit to a repo, but we have to turn this setting off when creating repo's that can be committed to by Netlify cms.

Describe the solution you'd like
A way to have signed commits, possibly verified by using gpg keys.

Describe alternatives you've considered
Making a specific github account/repo seperate for the cms commits.

Additional context
There may be a way to do this currently that I can't think of or find an idea on how to start going about it.

[erezrokah]

Thanks for opening this @christopherdufort, there are two challenges here:

1. Finding a secure way to distribute the signing keys. I believe this will require some kind of backend that matches the user to its signing key and then prompts for the signing key password. Having a backend that stores all signing keys requires some considerations as well.
2. Implementing commit signing in the browser using JavaScript. This might serve as a good reference.

[benhovinga]

I am also looking for a solution to this problem also.
I am not making claims to know how the backend works but I have some ideas how this could be implemented.

I'm thinking of something similar to a 2FA using a YubiKey or Windows Hello in the browser. Perhaps there could be a browser extension (or browser API) similar to mailvelope, that stores and handles your keys locally. But not just for Netlify CMS, instead any website could use this API. The website could send the information it requires signing, the format for signing, and perhaps a public key it's expecting. If the extension has the corresponding private key, and is configured to sign in the format requested (git in this case). Your browser will then prompt the user, do you want to sign this? then prompt for password. Your browser would reach out to the configured app (git) to request signing as if it was done locally, then pass the signed request back to the website to be processed as normal.

I just want to be able to use my keys in more places online as a way to verify or encrypt my activity with various websites. Without having to do everything from the command line or a local program.

Now if anyone understands that, congratulations. I am autistic and communication is not a strong point for me. But I believe something like this could be accomplished. I don't know if there would be an security implications because of it, but I still think it's possible. I just don't know how to make it happen, otherwise I would be building that extension right now.

[robigan]

I too would like this feature. Why complicate things when you can just use the GitHub API (Or other APIs for other backends) to add an SSH key to the repo Netlify CMS works on? Just like actual netlify does

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.