Prevent users from adding SSH/GPG keys on their own
Proposal
Gitlab allows setting Push rules to enforce that commits are signed, as documented here: https://docs.gitlab.com/ee/user/project/repository/push_rules.html
These do not verify the signature, but that is already a separate issue - #208313
Assuming that issue is solved however, there is still a scenario where a developer could just create a new PGP key and add it to their account from this page: https://gitlab.com/-/profile/gpg_keys
As a security admin, I would like to be able to disable developers from adding new keys to their gitlab account, or configure rules to ensure commits are signed with a certain key ID.
Possible UX
The feature could be as simple as having a textbox alongside "reject unsigned commits" which accepts a CSV or something of GPG KEY IDs that are allowed to sign commits. I.e. add a textbox below this if it is checked
As for the implementation on the backend, I am not too sure how it's best done.
Alternatives Considered
One hacky way I've though of is a CI/CD job which goes through git log and verifies signatures. However since .gitlab-ci.yml
is part of a repository, this seems trivial for a developer to bypass, if they intend to do so.