Docs: Clarify the requirement for signed commits in merge requests
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
https://docs.gitlab.com/user/project/repository/push_rules/#require-signed-commits
Summary
Currently, the documentation doesn't explicitly state how the requirement for signed commits works for merge requests:
- What if the author of the MR doesn't have a GPG signature? Does it only matter that the developer merging the MR has a signature?
- Does it matter that the commits were created through the web interface (single-file editor or Web IDE)?
- What if there are more than one commit and from different authors (without signatures)?
- Does it matter whether the commits are squashed?
- Does it matter if the MR author uses community forks?
- How does applying Code Suggestions (by a MR author from a developer or vice versa) affect this?
- Any other conditions ...
Update
An initial attempt to clarify this documentation was made in !209455 (closed), but based on feedback, the behavior is complex and varies significantly between GitLab.com and GitLab Self-managed, particularly around web-based commit signing capabilities.
Current status: Documentation improvements are on hold pending the rollout of web-based commit signing features, which will affect how these scenarios work.
References
The source of the questions is gitlab-org/gitlab-services/version.gitlab.com!239 (merged). In it, I still managed to create an MR (merged) without GPG. I used the Web IDE, community forks, and commit squashing. I'm not sure which of these factors mattered.