Hello,
I work in a company that uses gitlab but nobody use a gpg key or ssh key with their account.
I’m trying to convince them that using a gpg key is a best practice but i could not answer why when they asked me, could you please give me some good reasons?
I know that having a verified activity on gitlab is a good information that we are the one that committed those activities… but again they keep asking me why and i don’t not know what to say.
In this company we are several dev who work with differents computer of the company everyday, in that case is it worth to use a gpg key?
It my own opinion, but GPG signature is an added layer of security for integrity of the commits.
Even if someone get access to your gitLab credentials and commit code on your behalf still the commit has missing GPG signature. you and only you will ever have access to the GPG private key. you don’t even have to share it with GitLab.
so simply if you guarantee your GPG private key is secure and verify the signature before deployment you guarantee you wont deploy malicious code, otherwise you have to implement far more complext processes and platforms to guarantee that