### Proposal The goal is to enable customers to require that _all commits must be signed_ and at the same time _let them have bots push commits_ (that are not rejected). There are two ways we could do this: 1. Allow project bots to have public GPG and SSH stored in GL so that GL can verify their commits. Things to consider: - Unlike users’ private keys, the private key of a bots is not fully private to the bot. All users that have access to the bot also have access to the private key and the access token. So they could impersonate the bot. - The fact that we call such commits signed with this bots key is probably still o.k. 1. Make an exception for commits from bots from the rule that requires commits to be signed. - We can already detect if the pusher was a bot. So it would not require means to The first approach seems much cleaner. ### Next steps 1. Analytics: find out what percentage of projects uses bot users at all 2. Wait for more feedback to see how popular this would be ### Customer requests - https://gitlab.com/gitlab-org/gitlab/-/issues/293626+ - https://gitlab.com/gitlab-com/account-management/apac/australia/australia-post/collab-project/-/issues/67+