Authentiction based on signing PGP key in git

What I Am Tasked With:
Authenticate a merge in CI based on the commiter’s PGP signing key.

What we’ve been doing:
CI executes shell that

  • pulls public pgp keys from a repo, adds them in the runner’s keyring
  • If the commit matches a known key, continue, else fail.

What’s wrong with that:

  • Doesn’t scale
  • Rebuilding this scheme to allow for the concept of separation of duties is ugly.

What about [gitlab/github] native tools for managing this process

  • Last resort, for complicated reasons

So I thought about keycloak.

Is it doable to curl from shell with a values ($commit, $respository_name), talk to a realm and get approval based on a stored public key? Something like

realm: pgp

Key: C874011F0AB405110D02105534365D947228383831
Repositories : company-web, company-sql

Key: C874011F0AB4087754D02134365D94722893838391
Repositories : company-web

if [bob / company-sql] then; OK
if [carl / company-sql] then: FAIL

That would allow me to

  • Manage public keys in a central location
  • Allow for the concept of separation of duties
  • Allow me to replace 160 lines of shell with a few lines of curl.