<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=577197) </details> <!--IssueSummary end--> https://docs.gitlab.com/user/project/repository/push_rules/#require-signed-commits ## Summary Currently, the documentation doesn't explicitly state how the requirement for signed commits works for merge requests: * What if the author of the MR doesn't have a GPG signature? Does it only matter that the developer merging the MR has a signature? * Does it matter that the commits were created through the web interface (single-file editor or **Web IDE**)? * What if there are more than one commit and from different authors (without signatures)? * Does it matter whether the commits are squashed? * Does it matter if the MR author uses community forks? * How does applying **Code Suggestions** (by a MR author from a developer or vice versa) affect this? * Any other conditions ... ## Update An initial attempt to clarify this documentation was made in !209455, but based on feedback, the behavior is complex and varies significantly between GitLab.com and GitLab Self-managed, particularly around web-based commit signing capabilities. **Current status:** Documentation improvements are on hold pending the rollout of web-based commit signing features, which will affect how these scenarios work. ## References The source of the questions is https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/merge_requests/239. In it, I still managed to create an MR (merged) without GPG. I used the **Web IDE**, community forks, and commit squashing. I'm not sure which of these factors mattered.