Automated/web commits (merge or web IDE commits) should be signed (OpenPGP or any other popular signing method)
Description
I want all the commits in my repo to be signed. However automated commits run by gitlab are not signed.
Proposal
At first boot gitlab should generate a Curve25519 OpenPGP key and use that key to sign all commits.
It should not be possible to upload a new OpenPGP key. New keys should only be generated on the machine that uses them
Links / references
Documentation blurb
Overview
What is it? Automated commits are signed by gitlab Why should someone use this feature? so that all commits are signed What is the underlying (business) problem? I want all commits in my repos to be signed. How do you use this feature? it's automatic, or you can override the OpenPGP key generation.
Use cases
This is for people who want all commits to be signed.
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml -
auto generated key must be ed25519
Customers
https://gitlab.my.salesforce.com/0016100001CXro6
Availability and Testing
Add feature spec to ensure that commits added through the Web interface are signed. Add feature spec to ensure that commits added through the WebIDE interface are signed.