Verify GPG Signature for mirrored repositories

I did some reading to setup GPG signature verification for mirrored repository. to verify commits done by external developer on GitHub repository.

The only solution I found is:

  • To create a new account in GitLab with the external developer’s email address. the email address the developer signed the commits with
  • Login to GitLab with the new user account credentials, and save the GPG public key under the new account

then GitLab will automatically start verifying GPG signatures.

However as I am setting this in an enterprise environment, the GitLab must be accessed through SSO. That mean I cannot login with the new user account credentials and consequently I cannot upload the GPG public key to the account. as all GitLab logins must be done through corporate SSO.

and I am stuck!

Is there a way to save the GPG public key without login as user ?

I know that I can update the settings and change the authentication mode temporarily, and login with user credentials … but it required security approval and could take months to proceed.

there must be a way!