Comment 7 for bug 297610

Requiring that every commit be signed is not something that you can enforce on *users* machines. As you said, they may not have set "create_signatures=always" on their local host. Heck they may not even have gpg installed.

The only way to *reliably* do it, is to enforce things *server* side. Such as by rejecting a merge/push/commit/etc if any of the revisions being transmitted do not have a gpg signature. Then if a user's merge is rejected, they can use something like "sign-my-commits" to go back and fill in ones that they should have signed.

I'm not sure how you handle "3rd-party" contributions, but it sounds like your development group is closed so that is probably not an issue.

At the moment, it is not possible to do this with stock "bzr", so it would require extra development. Either via something like a PQM or a human gatekeeper, or some lighter-weight plugin.

Also, right now a push via bzr+ssh still has most of the work being done by the client. I believe as Andrew finishes up:
http://bazaar-vcs.org/IdealSmartPush

That will change. Also, I believe there is a requirement for a different project to disallow the Virtual FS writes (so all data comes in as a logical data and gets processed into bytes-on-disk by server-side process). So there is some development focus on implementing that.