Prevent users from adding SSH/GPG keys on their own
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Gitlab allows setting Push rules to enforce that commits are signed, as documented here: https://docs.gitlab.com/ee/user/project/repository/push_rules.html
These do not verify the signature, but that is already a separate issue - #208313
Assuming that issue is solved however, there is still a scenario where a developer could just create a new PGP key and add it to their account from this page: https://gitlab.com/-/profile/gpg_keys
As a security admin, I would like to be able to disable developers from adding new keys to their gitlab account, or configure rules to ensure commits are signed with a certain key ID.
Possible UX
The feature could be as simple as having a textbox alongside "reject unsigned commits" which accepts a CSV or something of GPG KEY IDs that are allowed to sign commits. I.e. add a textbox below this if it is checked
As for the implementation on the backend, I am not too sure how it's best done.
Alternatives Considered
One hacky way I've though of is a CI/CD job which goes through git log and verifies signatures. However since .gitlab-ci.yml is part of a repository, this seems trivial for a developer to bypass, if they intend to do so.