Why don’t git servers (gitlab, github, etc…) allow for a whitelist of public GPG keys allowed to sign commits? For example, Alice owns a GPG key with fingerprint
0A1B2C3D while Bob’s is
They work together and they pass their key’s fingerprint to the git server admin and those fingerprints are added to the server’s whitelist. In that case, if an attacker were to compromise Alice’s or Bob’s laptop, they cannot push any backdoor to the code, since they protected their private keys with a strong passphrase and servers reject unsigned commits.
However, enforcing signed commits rather than enforcing commits signed by a trusted key means the attacker can create a new key pair on Alice’s or Bob’s laptop, using their name and email, add it to the git server and then push a commit with a backdoor (since servers typically verify that the committer email matches one email in the list of the key’s UID and that it matches the server’s registered email). This of course assumes a series of hypothesis (compromised laptop, ability to add GPG keys on the server,…)
For me, it’s certainly not too far-fetched if someone leaves their laptop unattended, for example (we all know an Alice or Bob who doesn’t lock their laptop while going for a coffee or to the bathroom)
Does this seem far-fetched enough for git server providers not to add this option?
Am I missing something here?