diff --git a/doc/user/project/repository/push_rules.md b/doc/user/project/repository/push_rules.md index 414f862843d345e63beb73043d70801cf9439256..539944ae471fc8ec3840822339de48b97264f551 100644 --- a/doc/user/project/repository/push_rules.md +++ b/doc/user/project/repository/push_rules.md @@ -318,7 +318,7 @@ You can combine multiple patterns into one expression. This example combines all ## Require signed commits -[Signed commits](signed_commits/_index.md) are digital signatures used to verify authenticity. +Signed commits are digital signatures used to verify authenticity. Use the **Reject unsigned commits** push rule to require all commits to have cryptographic signatures. When you enable this rule: @@ -336,6 +336,10 @@ To enable the **Reject unsigned commits** push rule: 1. Select **Reject unsigned commits**. 1. Select **Save push rules**. +The behavior of this rule varies depending on your merge strategy and how commits are created. +For information about how this rule works with merge requests, see +[Signed commits](signed_commits/_index.md). + ## Reject commits that aren't DCO certified Commits signed with the [Developer Certificate of Origin](https://developercertificate.org/) (DCO) diff --git a/doc/user/project/repository/signed_commits/_index.md b/doc/user/project/repository/signed_commits/_index.md index 8516e7bb8dad42622c00d375e4842b582ad402f3..3cf2463c32d2b76c979a85724424778c7a9ece1c 100644 --- a/doc/user/project/repository/signed_commits/_index.md +++ b/doc/user/project/repository/signed_commits/_index.md @@ -97,11 +97,57 @@ To restore the green verified label, verify the mapped email address, or remove ## Enforce signed commits with push rules -You can require signed commits across your projects using push rules. -The **Reject unsigned commits** push rule prevents any unsigned commits from being pushed -to a repository, helping organizations maintain code integrity and meet compliance requirements. +You can require signed commits across your projects by using push rules. +The **Reject unsigned commits** push rule prevents unsigned commits from being pushed +to a repository. This helps organizations maintain code integrity and meet compliance requirements. -For more information about how this rule works and its limitations, see [Require signed commits](../push_rules.md#require-signed-commits). +The push rule validates commits at push time, not at merge time. The behavior varies +depending on how commits are created and merged. To enable this rule, see [Require signed commits](../push_rules.md#require-signed-commits). + +For direct pushes: + +- All commits pushed directly to branches must be signed. +- Unsigned commits are rejected at push time. + +For merge requests, the behavior depends on your project's merge strategy: + +- Fast-forward merge: + - All commits in the merge request must be signed. + - Each commit is validated when the merge request is merged. + +- Merge commit (no squashing): + - All commits in the merge request must be signed. + - GitLab creates an additional merge commit, which is signed by GitLab if + commit signing for GitLab UI commits is configured. + +- Squash and merge: + - Individual commits in the merge request don't need to be signed. + - GitLab creates a single squashed commit, which is signed by GitLab if + commit signing for GitLab UI commits is configured. + - This allows unsigned commits from Web IDE, Code Suggestions, and community forks to be merged. + +### Commits created by GitLab + +Commits created through the GitLab web interface are automatically signed by GitLab +when [commit signing for GitLab UI commits](web_commits.md) is configured. +These commits bypass the unsigned commit restriction: + +- Web IDE and single-file editor commits. +- Commits created when you [apply suggestions](../../merge_requests/reviews/suggestions.md#apply-suggestions). + +### Community fork contributions + +Commits from community forks follow the same signing requirements as other commits. +If contributors can't sign their commits, consider enabling +[squash and merge](../../merge_requests/squash_and_merge.md) to allow their contributions. +When squashing is enabled, GitLab creates a signed squash commit regardless of +the signature status of individual commits. + +### Multiple authors + +Each commit must be signed by its committer. +For [co-authored commits](../../merge_requests/reviews/suggestions.md#batch-suggestions), +the commit is signed by the committer, not all authors. ## Troubleshooting