## Problem Some enterprises have chosen enterprise-wide GPG solutions as part of their zero-trust security policies. They would like to be able to enforce that only commits signed with their GPG keys are able to make contributions to their software projects. ## Proposed solution The proposed solution is to leverage GitLab's existing GPG functionality and to extend it. Today GitLab allows users to upload a GPG to their user profile, which is then used to validate their commits. When validated, they get a green check on the commits. In addition to the visual indicators, GitLab is also able to reject _unsigned_ commits. However there is no validation done. There are two gaps however which are left to solve: 1. Checking that the user's uploaded GPG key is actually the one from the enterprise 1. Checking that the user used _the GPG key which matches their profile_ to sign the commits. This proposal attempts to address those two area by: 1. Inserting a check on GPG key upload, to validate against an enterprise's GPG system - 1. Validating a user signed commits with the GPG key in their user profile - https://gitlab.com/groups/gitlab-org/-/epics/11477 #### Configuration options GitLab would add an additional Repository setting, which would be to validate the GPG key against the user's GPG key during the pre-receive phase. This would be able to be set at the group and project level, with the group overriding the project. ## Alternative solutions Alternative we could shift the key verification to also occur during the git pre-receive phase, however this is undesirable as it introduces a third party into the critical git transaction process. ## Iterations 1. Implement check of GPG key against the key uploaded in the user's profile 1. Implement check of user profile key with third party system <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->