We are looking to introduce signing of commits into our company.
Currently we are leaning towards using GPG kays, but we can consider SSH if what we want cannot be achieved with GPG.
We are using a private Gitlab instance.
What we need:
We need all commits pushed to our git repos to be verified. Each employee should have its own signing key, which they use to verify their commits. However, we do not want employees to be able to just use any GPG key they generate but only ones approved by the company. Moreover, admins should be able to revoke their keys if needed.
Is there a way to sign an employee generated key such that when the public key is imported into Gitlab, commits signed with the corresponding private key show up as "verified" but only if the employee's key has also been signed with our organization key?