Enable bots to sign commits and have GitLab verify them
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
The goal is to enable customers to require that all commits must be signed and at the same time let them have bots push commits (that are not rejected). There are two ways we could do this:
- Allow project bots to have public GPG and SSH stored in GL so that GL can verify their commits. Things to consider:
- Unlike users’ private keys, the private key of a bots is not fully private to the bot. All users that have access to the bot also have access to the private key and the access token. So they could impersonate the bot.
- The fact that we call such commits signed with this bots key is probably still o.k.
- Unlike users’ private keys, the private key of a bots is not fully private to the bot. All users that have access to the bot also have access to the private key and the access token. So they could impersonate the bot.
- Make an exception for commits from bots from the rule that requires commits to be signed.
- We can already detect if the pusher was a bot. So it would not require means to
The first approach seems much cleaner.
Next steps
- Analytics: find out what percentage of projects uses bot users at all
- Wait for more feedback to see how popular this would be
Customer requests
Edited by 🤖 GitLab Bot 🤖