Push Rules signed commits - specific keys

From the Gitlab Docs I can see how the following can be done:

  • Add a GPG key to your account with which commits are signed
  • Set up a push rule to reject unsigned commits

From an admin’s perspective however, I was wondering if it is possible to also force which keys it must be signed with, or prevent the user from adding new keys.

Right now it seems a user could just generate a new PGP key pair, add that to their account, start signing and pushing code to a repository, which kind of bypasses stuff like admins putting the private key on a hardware token such as a yubikey.

Is this possible in gitlab? Thanks