GPG signature must match the committer in order to be verified
What does this MR do?
It adds an additional check to make sure that the signature and the commit were created by the same user.
Are there points in the code the reviewer needs to double check?
Why was this MR needed?
Currently the committer and the signature don't have to be created by the same user, which is confusing and may lead to a wrong conclusion about the authenticity of the signature.
The development of this MR is sponsored by @siemens (/cc @bufferoverflow).
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together
What are the relevant issue numbers?
Edited by username-removed-81730