Skip to content
Snippets Groups Projects
Select Git revision
  • move-gl-dropdown
  • improve-table-pagination-spec
  • move-markdown-preview
  • winh-fix-merge-request-spec
  • master default
  • index-namespaces-lower-name
  • winh-single-karma-test
  • 10-3-stable
  • 36782-replace-team-user-role-with-add_role-user-in-specs
  • winh-modal-internal-state
  • tz-ide-file-icons
  • 38869-milestone-select
  • update-autodevops-template
  • jivl-activate-repo-cookie-preferences
  • qa-add-deploy-key
  • docs-move-article-ldap
  • 40780-choose-file
  • 22643-manual-job-page
  • refactor-cluster-show-page-conservative
  • dm-sidekiq-versioning
  • v10.4.0.pre
  • v10.3.0
  • v10.3.0-rc5
  • v10.3.0-rc4
  • v10.3.0-rc3
  • v10.3.0-rc2
  • v10.2.5
  • v10.3.0-rc1
  • v10.0.7
  • v10.1.5
  • v10.2.4
  • v10.2.3
  • v10.2.2
  • v10.2.1
  • v10.3.0.pre
  • v10.2.0
  • v10.2.0-rc4
  • v10.2.0-rc3
  • v10.1.4
  • v10.2.0-rc2
40 results

gpg_signed_commits

  • Clone with SSH
  • Clone with HTTPS
    • Forked from GitLab.org / GitLab FOSS
    2 commits behind, 5035 commits ahead of the upstream repository.
    user avatar
    user may now revoke a gpg key
    Alexis Reigel authored 
    other than just removing a key, which doesn't affect the verified state
of a commit, revoking a key unverifies all signed commits.
    027309eb
    History
    user avatar 027309eb
    History
    Name Last commit Last update
    ..
    img
    index.md
    index.md

    Signing commits with GPG

    Getting started

    How GitLab handles GPG

    GitLab uses its own keyring to verify the GPG signature. It does not access any public key server.

    In order to have a commit verified on GitLab the corresponding public key needs to be uploaded to GitLab.

    For a signature to be verified two prerequisites need to be met:

    1. The public key needs to be added to GitLab
    2. One of the emails in the GPG key matches your primary email

    Add a GPG key

    1. On the upper right corner, click on your avatar and go to your Settings.

      Settings dropdown

    2. Navigate to the GPG keys tab.

      GPG Keys

    3. Paste your public key in the 'Key' box.

      Paste GPG public key

    4. Finally, click on Add key to add it to GitLab. You will be able to see its fingerprint, the corresponding email address and creation date.

      GPG key single page

    Note: Once you add a key, you cannot edit it, only remove it. In case the paste didn't work, you will have to remove the offending key and re-add it.

    Remove a GPG key

    1. On the upper right corner, click on your avatar and go to your Settings.

    2. Navigate to the GPG keys tab.

    3. Click on the trash icon besides the GPG key you want to delete.

    Note: Removing a key does not unverify already signed commits. Commits that were verified by using this key will stay verified. Only unpushed commits will stay unverified once you remove this key.

    Revoke a GPG key

    1. On the upper right corner, click on your avatar and go to your Settings.

    2. Navigate to the GPG keys tab.

    3. Click on Revoke besides the GPG key you want to delete.

    Note: Revoking a key unverifies already signed commits. Commits that were verified by using this key will change to an unverified state. Future commits will also stay unverified once you revoke this key. This action should be used in case your key has been compromised.

    Verifying commits

    1. Within a project navigate to the Commits tag. Signed commits will show a badge containing either "Verified" or "Unverified", depending on the verification status of the GPG signature.

      Signed and unsigned commits

    2. By clicking on the GPG badge details of the signature are displayed.

      Signed commit with verified signature

      Signed commit with verified signature