bmeneg
commented
8 months ago At first, we can just print enough information for the user and let one deal with adding that public key to the correct place: "allowed_signers" file in case of SSH signature, and GPG keyring for GPG signature, avoiding system differences, eg. gpg gpg2 gnome-keyring....
When a user works with signed commits (SSH or GPG key) and wants to verify the keys locally, one must retrieve the public key for the commit's author from GitLab's database and add it to the
allowed_signersfile (or the file pointed bygpg.ssh.allowedSignersFilegit config) and/or the GPG local keyring, enabling the signature verification ongit log --show-signatures.For that, we must use User's API endpoint, which is also available in go-gitlab package.