From the Gitlab Docs I can see how the following can be done:
- Add a GPG key to your account with which commits are signed
- Set up a push rule to reject unsigned commits
From an admin’s perspective however, I was wondering if it is possible to also force which keys it must be signed with, or prevent the user from adding new keys.
Right now it seems a user could just generate a new PGP key pair, add that to their account, start signing and pushing code to a repository, which kind of bypasses stuff like admins putting the private key on a hardware token such as a yubikey.
Is this possible in gitlab? Thanks