Get tag signature via API

Release notes

Get tag signature via API.

Currently, the UI shows the verification status of tags, but there is no way to fetch it over the API, as far as I could tell. For commits there is GET /projects/:id/repository/commits/:sha/signature. I want equivalent functionality for tags. Something like GET /api/v4/projects/:id/repository/tags/:name/signature.

Problem to solve

Every user can configure their keys to make GitLab's verification of the tags accurate. It doesn't seem feasible to duplicate this verification locally, so there is no way for automation to know if a tag has a valid signature or not.

Proposal

Add new API endpoint, GET /api/v4/projects/:id/repository/tags/:name/signature, that behaves like GET /projects/:id/repository/commits/:sha/signature does for commits. cf. https://docs.gitlab.com/ee/api/commits.html#get-gpg-signature-of-a-commit

Intended users

Used by anyone who automates CICD operations. The capability to verify tag signatures can be used to harden audit trails trails and increase trust in any information stored in tags, which increases GitOps security.

• Sasha (Software Developer)
• Priyanka (Platform Engineer)

Feature Usage Metrics

You can track the usage of the feature by tracking how often the API endpoint is called.