Signed commits created via REST API should not have author fields customized
Overview
When a commit is created via Commits API: https://docs.gitlab.com/ee/api/commits.html#create-a-commit-with-multiple-files-and-actions, it's created via Gitaly, i.e considered to be a web commit. Currently, such commits are signed and the following message is displayed:
We mentioned that the commit is created in UI but it was created via API which is not the same.
Problem
The fact that Author/Committer field cannot be changed via UI makes signing web commits trustworthy. However, author_name
and author_email
can be specified in the API request and make impersonation possible.
Solution
- Add a new field to Commits API (
sign
orsign_commits
) - If commit signing is not configured for the instance, it doesn't have any effect
- If commit signing is enabled, then the commits created via Commits API are signed
- If author name and email are specified, then Commits API returns validation error: these fields cannot be specified when the field
sign
equalstrue
- A user has an option to pass
sign: false
along with author fields and create a commit without signing but with setting the author fields - If an organization uses
reject unsigned commits
and the organization has commit signing enabled for commits made by Gitlab, the unsigned commits created via Commits API are rejected.