Docs: Add example of GPG verification
Overview
The original proposal asks for a way for GitLab Runner to validate git commits, and make sure that the signature is part of the "verified" list. This can be already done with pre_build_script
, and it really depends on the user environment and configuration, that is why it's not part of the GitLab Runner product. We should add documentation about this to show an example to the user how it should be done.
Original Proposal
It would be nice if the runner could verify the gpg signature of the commit or tag it is running on, so only cryptographically approved commits can be deployed.
To make addition and removal of allowed gpg keys easier, the runner could check if the key of the signer is signed by some master/ca/supervisor key.
Proposal
Add an example to the runner documentation to illustrate how a user can accomplish this using other options such as the pre_get_sources_script
.
The user can already implement this using the
pre_build_script
where the user can run their own script to valid a commit, which also leads to a more powerful validation because it can also validate other things apart from GPG keys.