Add option to only allow GPG signed merge requests
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
In the merge request settings of a project I'd like to have an option to only allow merging a merge request when all commits are signed. And another option if they are verified.
Proposal
sth like this:
Merge request settings
Customize your merge request restrictions.
…
- [ ] Only allow merge requests to be merged if all commits are GPG signed.
- [ ] Only allow merge requests to be merged if all GPG signed commits are verified.
…Overview
What is it?
With this feature a project could make sure only signed (and optionally) verified commits are merged into masster. It encreases the integrity of the master branch and makes it harder to sneak in rogue commits by an attacker. At least unsigned/unverified commits are much easier to detect in the master branch history.
Why should someone use this feature?
Security-related projects could use this feature to harden their master branch and make sure the user have the ability to verify each commit.
How do you use this feature?
By checking the new merge request settings this feature is enabled and gitlab will refuse to merge MRs is not all commit are signed (and optionally verified).
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml