GPG subkeys not used to verify commits
If you use a GPG public key that contains subkeys, you can upload it to GitLab... but it won't identify the subkeys, nor will it use the subkeys to verify Git commits.
This is a problem
Steps to reproduce
- Create a GPG key that contains subkeys.
- Export the key including the subkeys from GPG.
- Sign a Git commit using the subkey.
- Push that commit to GitLab.
- Add the public key including the subkey to GitLab.
- Inspect the repository in the Web UI and you will find that the commit has not been marked as verified.
tommorris/gitlab-gpg-issue-example contains a commit signed with my GPG subkey.
(The same GPG exported key is uploaded to both repositories.)
What is the current bug behavior?
Commits signed with my GPG subkey are not marked as verified even though they match a subkey contained in the public key I uploaded to GitLab.
What is the expected correct behavior?
Subkeys of a user's key should be used to determine if a commit is signed.
Output of checks
This bug happens on GitLab.com