Does everyone on your engineering team sign their code?<p>How do you go about verifying signatures and making sure the code signing verifies every time you push/pull code?<p>Does your team rely on GitHub's server-side verification?
We don't for the most part, but ended up moving to a VPNed GitHub Enterprise installation over the possibility (albeit unlikely one) that GitHub's main cloud could be compromised and used to inject malicious code into a repository that we own.<p>It doesn't hurt to shore up on security, but given the expense of operating a GHE installation, the fact that there are some GH niceties that don't work quite right there, and that even in just a few months of use GHE already has a poorer availability record than the public GH cloud, broad code signing might have been a better approach.<p>We do sign in a few places like for our internal deployment tool that gets widely distributed to all engineers, and which checks its code signature before allowing a deploy. It works pretty well, but the fact that GitHub's "merge pull request" button exists (which will create a merge commit on `HEAD` without a valid signature) tends to cause a fair bit of inconvenience.<p>I'd definitely be curious if others have been making this work.
I'm curious as to why one would want to do that. Maybe it's because we host internally (internal Bitbucket server) that I don't think we would need this or maybe because we are small and know who is pushing what.