backport automation: to cherry-pick the signed commits

[v1v]

Technical issue

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots

Requested-By

• [email protected] typeform m07emm9gk0chl80hjbkenjm07emmh3yl
• Back Market
• backport automation: to cherry-pick the signed commits #5077

[jd]

Not sure we could have anything verified even by cherry-picking the original commits, since the sha1 are going to change anyway and Mergify can't re-sign the commits using the original author key. Or do I miss something?

[v1v]

Gotcha, I understand there is a limitation with the git flow itself, so nothing we can do about it.

For now, since mergify can override the branch protection behaviour, we enabled to auto-approve those backported PRs with mergify itself, so it works smooth and nice in our end.

Thanks Julien, I guess we can close this issue now

[jd]

@v1v we spent time digging into that features, but it's not really clear the value of the whole signature system, especially with things like https://blog.mergify.com/un-signed-commits-how-we-found-a-non-security-bug-in-github/

Would it be possible to have more context about what's expected from the GitHub setting? Happy to schedule a chat with you or your (security) team.