add an URL to get user's GPG key
What does this MR do?
This patch adds an URL to get user's GPG key, namely /:username.gpg
.
This is comparable to SSH key's /:username.key
.
GitLab already supports signing commits, but it's not complete because you cannot verify the sign without public keys. With this patch, you can easily get someone's GPG key and verify signed commits.
You can import GPG key directly from this URL.
$ gpg --fetch-keys https://<base_url>/<user>.gpg
This is my first MP so please point out if I'm doing something wrong.
FYI GitHub has already implemented this feature.
Risk: This feature exposes user data without authentication. However because the data is public key, it is generally safe.
See also: !42288 (merged) , !43332 (merged)
Screenshots (strongly suggested)
I have 3 GPG keys
and it returns verified keys only.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team