GitLab users can upload a GPG key. This key is publicly available by appending .gpg to the GitLab user profile, i.e. https://gitlab.com/remcohaszing.gpg. This is a bit of a hidden feature. I think it makes sense to make the feature more prominent by adding a link or download button to the GitLab profile.
@dmoraBerlin I think a simple button is the way to go
The current Download GPG token button suggestion seems to waste a lot of real-estate, though. Can we re-use a download button and add the text in a dropdown similar to what we have on the merge request artifacts?
@ogolowinski the context for the download button you show is different here, as well, we are trying to move away from split dropdown buttons in the UI to reduce confusion. As well, the button will only show if they create a gpg key.
I like it. It looks a bit less cluttered than text, and when I see a key icon, I immediately think of GPG keys (especially in the context of developer profiles).
Sure this should be pretty straight forward. We can just add a button to app/views/users/show.html.haml#L15 that links to /<username>.gpg. Going to weight this a 1.
@dmoraBerlin which design are we going with? secondary button or icon button?
@ogolowinski@david - I noticed this issue highlighted in the 14.3 Kickoff (and I see it's now been delivered) but when I heard about it I immediately questioned the usefulness/use case of this feature. I understand the usefulness of GPG commit signing being that you can Verify commits from specific users. I think we primarily display that information in the Commit History page so I'm wondering why adding a link to the key in the user profile page isn't an anti-pattern workflow where we are asking users to indirectly correlate information that we are already correlating directly for them.
@kencjohnston You can get the public GPG key from the Commit History (as you have shown in GitLab Docs) however, if I want a specific user's public GPG key, I would need to search for a commit from that user. As part of our Adoption Through Usability FY22 Product Theme, we are making this easier to do. Today, there is a "hidden way" to do this (getting a specific user's public GPG key, see Description for it) and this feature makes it doable from the UI as well.
I do not see this as an anti-pattern as we are not removing it from the Commit History. This is a usability improvement.
@david What's the use case for wanting to see the specific user's public GPG key? The kickoff video references that you would want to do that when working in organizations where you want to verify commits - but I think we solve for that user problem via the Commit History view already. The only use case I could immediately understand is if you don't know about the Commit History view. That's why it feels like an anti-pattern to make the single-user GPG view more accessible.
@kencjohnston I probably misspoke on the kickoff call or maybe I wasn't clear (please forgive me, I am human). The use case is if you would like to get a specific user's public GPG key. This is common in organizations as GPG keys can be used for a lot of different use cases. The Commit History only tells you the commit is signed and gives you the GPG Key ID. This does not give you the actual public GPG key. This should be available on the user's profile page like other profile specific details.
The most common use case I had in mind is wanting to download a user’s public GPG key to so one can import it on their local device, so the user’s commits also show up as verified using local git commands, not just on GitLab.
Of course this was already possible, but the feature was hidden.
@dmoraBerlin@peterhegman Apologies if this is written elsewhere in the ticket, but I'm writing up a release post draft, and I am not clear on what this issue introduces when you click the icon button. Does it immediately download the key? Display it in a new tab?