Check whether commit is signed through GPG allows for unverified commits, there should be a stricter version

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Push rule Check whether commit is signed through GPG enforces to commit data that are GPG signed, but it does not differ is GPG sign is actually Verified or not.

In our case (Self-Hosted Gitlab Enterprise) there is a rule that anybody must gpg-sign their commits. Let's imagine, a malicious person introduces a backdoor through a commit (with false e-mail, as anybody can enter whatever e-mail into commit message) and signs it with freshly-created GPG key. Then he pushes it through compromised machine of a developer (so, committer restriction is passed- e-mail matches SSH key to identify commit author). This commit shows up in repo in state "Unverified" as GPG signature is actually Unverified.

Proposal

My proposal is to extend push rule Check whether commit is signed through GPG via a combo box that will give a choice about level of verification needed for a push. Something like Check whether commit is signed through GPG and is {Verified,Unverified}

What does success look like, and how can we measure that?

How to reproduce this issue:

1. Clone a repo where you've previously GPG-signed commits
2. Add a new file
3. Create a new GPG key pair
4. Commit a new file using a new key pair
5. Commit is pushed to the repository and shows as unverified
6. Commit should be rejected during push because it is unverified.