[go: up one dir, main page]
Skip to content

Add support for git-push --signed

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Problem to solve

Whilst some organisations use signed commits and tags today they do not cover the scenario of understanding whether the relevant push was intended to update the master branch or files in a release. This allows for auditing and traceability in environments where changes to files need additional authentication to ensure validity of updates.

A signed git-push mechanism could allow for this additional authentication to provide an extra layer of security.

Intended users

User experience goal

  • The Systems Administrator should be able to turn on/off git-push --signed adherence on a project/group level
  • The Development Team Lead should be able to determine if git-push --signed is enabled for their project/group
  • The Software Developer should be able to use git-push --signed from their console
  • The Security Analyst/Security Operations Analyst should be able to audit all signed/non-signed pushes
  • The Release Manager should be able to see if any additions to the release have not been signed
  • The Compliance Manager should be able to see if a release has any pushes or commits flagged as not signed

Proposal

The System Admin logs into GitLab and in the Admin section enables the feature on a few important groups. The Development Team Lead as well as the Software Developer are notified that this has been enabled for their group and start to use this feature from the command line. Ideally the WebIDE and other tools will support this too.

Once the pushes have been signed, the Security Analysts should be able to see which pushes have not been signed, either by the API or in the Security Dashboard. The Release Manager will be able to see a flag for any release that have previously had non-signed pushes for information. The Compliance Manager can see an audit of any events that do not conform in the Compliance dashboard and pull up logs and user information

Further details

Some more information on the use cases here and here

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Edited by 🤖 GitLab Bot 🤖