How to restrict access to signing certificate in gitlab runners?

Is it possible to have Gitlab CI jobs that would automatically sign built code with a certificate, but restrict it so it is done only when certain rules are fulfilled?

The goal is to not allow users access to private key and don’t sign unapproved projects.

I was thinking that to sign code, project must be:

  • in group X
    
  • on project whitelist
    
  • a tag (not branch)
    

But almost immediately I thought of bypassing it by either modifying .gitlab-ci.yml (if rules are defined there) or replacing whole project content on branch with another non-whitelisted project and creating a tag.

Are there any tools in GitLab that can help with that problem?