I did some reading to setup GPG signature verification for mirrored repository. to verify commits done by external developer on GitHub repository.
The only solution I found is:
- To create a new account in GitLab with the external developer’s email address. the email address the developer signed the commits with
- Login to GitLab with the new user account credentials, and save the GPG public key under the new account
then GitLab will automatically start verifying GPG signatures.
However as I am setting this in an enterprise environment, the GitLab must be accessed through SSO. That mean I cannot login with the new user account credentials and consequently I cannot upload the GPG public key to the account. as all GitLab logins must be done through corporate SSO.
and I am stuck!
Is there a way to save the GPG public key without login as user ?
I know that I can update the settings and change the authentication mode temporarily, and login with user credentials … but it required security approval and could take months to proceed.
there must be a way!