Create means to sign push/tags with other than GPG keys

Problem to solve

I think many can agree, GPG was a good idea - but leaves a lot to be desired.

We'd like to see the ability to sign commits leveraging PKI based RSA or ECC keys. This would be a multifold benefit to many.

• If the keys are PKI based, GitLab could provide rules for rejecting commits if the certificates have been revoked, expired, the certificate is not trusted
• PKI based RSA/ECC keys are easier to manage vs GPG
• Would enable use of Yubikey PKI based tokens
• For Federal customers, this would enable the use of a CAC/PIV to sign commits

To us this addition is logical in the means that GPG is limited in many ways, it isn't centrally managed by IT, and would provide real non-repudiation in committing code to GitLab.

Target audience

Security aware enterprises that want to have a central management of credentials - this providing non-repudiation of commits.

Further details

• If the keys are PKI based, GitLab could provide rules for rejecting commits if the certificates have been revoked, expired, the certificate is not trusted
• PKI based RSA/ECC keys are easier to manage vs GPG
• Would enable use of Yubikey PKI based tokens
• For Federal customers, this would enable the use of a CAC/PIV to sign commits

Links / references