Add support for commit signing using SSH
A commit's Author
field can be edited, that's why commit signing is used to verify that a particular user is indeed the author of a commit: https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/#configure-commit-signing
When a commit is created via Web UI or on merge, we can't sign a commit using the user's private key because we don't have access to it. But when the commit is created via Web UI or on merge, Author
field cannot be edited. That's why we can sign it using Gitlab's instance private key and mention that The commit has been created on Gitlab.com and signed with GitLab's verified signature
. Signing commits using OpenPGP has been introduced in: !4802 (merged)
However, there are concerns that the used library is neither FIPS-approved nor is using bindings to FIPS-approved modules: #4594 (closed).
This merge request uses the x/crypto
library instead of its fork in order to implement signing via SSH. If we restrict the list of algorithms that are used, the solution seems to be FIPS compliant: !5408 (comment 1288360238), !5408 (comment 1288360227)
The current plan is to support both GPG and SSH keys but mention in the docs that only SSH solution is FIPS-compliant. Making GPG solution FIPS-compliant can be done as a follow-up; however, it's not yet clear which library to use for it.
Related issue: #4594 (comment 1285921203)