Problem to solve
I created a GitLab CI Pipeline that signs commits and tags with a GPG key. The key is loaded from a global CI variable before any commits are made. The GPG public key is added to GitLab.
I enabled signing via git config with:
git config user.signingkey <gpg key id>
git config commit.gpgsign true
git config tag.gpgSign true
Whe I create commits in the CI pipeline, they are signed and when pushed they show up as verified in the GitLab ui.
But when I create tags and push them in the CI pipeline they show up as unverified in the GitLab ui, with the following error message:
When viewing the tag metadata in the CLI I get the correct information:
The “tagger” matches the “Korrekte Signatur von” and “Aussteller” from the gpg output the used gpg key id also matches what is loaded in CI pipeline.
Steps to reproduce
- Create a valid GPG key
- Export the private GPG key in ASCII format and encrypt it with base64
- Store the GPG private key as a CI variable in GitLab
- Export the public GPG key in ASCII format and add it to your GPG keys in GitLab preferences
- In the CI pipeline
- Load the GPG private key using gpg
- Enable commit and tag signing in git config
- Create a commit and push it
- Create a tag and push it
- The commit is verified
- The tag is unverified
Versions
- Self-managed; GitLab Enterprise Edition v18.1.1-ee