Skip to content

Beyond Identity: Check the validity of GPG keys with Beyond Identity daily

Summary

The first iteration of the Beyond Identity integration [MVC] Beyond Identity integration (#431433 - closed) introduces GPG keys validation with Beyond Identity. When a user adds a GPG key to their profile, the key is verified. If the key wasn’t issued by the Beyond Identity Authenticator or the email used in their GitLab profile is different from the email assigned to the key in the Beyond Identity Authenticator, it’s rejected. However, the keys are not currently validated on a recurring basis.

As a second iteration, we want to add a service that checks the validity of the GPG keys with Beyond Identity daily.

When the Beyond Identity integration is enabled:

On push, we will check if the key was validated with the Beyond Identity service in the last 24 hours.

  • If yes, we will accept the push.
  • If no, we will check the validity of the key with Beyond Identity.
    • If the key is still valid, we will accept the push.
    • If the key is no longer valid, we will reject the push.

When the Beyond Identity integration is enabled and there is not valid GPG key associated with the user profile:

  • Add a an alert (warning variant - yellow) in the UI: "There is no valid GPG key associated with your profile. Please add a valid key to your profile."
    • Alert is not dismissable
    • Primary button (blue one) on alert should navigate the user to the GPG page of the Preferences
      • Text on button: "Manage GPG keys"
      • Links to: /-/profile/gpg_key
Edited by Marie-Christine Babin