Add latest changes from gitlab-org/gitlab@15-4-stable-ee

2 files changed, 51 insertions, 0 deletions

diff --git a/doc/administration/gitaly/configure_gitaly.md b/doc/administration/gitaly/configure_gitaly.md
index ac03c3ffc02..bfd252a9f42 100644
--- a/doc/administration/gitaly/configure_gitaly.md
+++ b/doc/administration/gitaly/configure_gitaly.md
@@ -1340,3 +1340,53 @@ value = "ignore"
 key = "receive.fsck.hasDotgit"
 value = "ignore"
 ```
+
+## Configure commit signing for GitLab UI commits
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/19185) in GitLab 15.4.
+
+By default, Gitaly doesn't sign commits made using GitLab UI. For example, commits made using:
+
+- Web editor.
+- Web IDE.
+- Merge requests.
+
+You can configure Gitaly to sign commits made using GitLab UI. The commits show as unverified and signed by an unknown user. Support for improvements is
+proposed in issue [19185](https://gitlab.com/gitlab-org/gitlab/-/issues/19185).
+
+**For Omnibus GitLab**
+
+1. [Create a GPG key](../../user/project/repository/gpg_signed_commits/index.md#create-a-gpg-key)
+   and export it. For optimal performance, consider using an EdDSA key.
+
+   ```shell
+   gpg --export-secret-keys <ID> > signing_key.gpg
+   ```
+
+1. On the Gitaly nodes, copy the key into `/etc/gitlab/gitaly/`.
+1. Edit `/etc/gitlab/gitlab.rb` and configure `gitaly['gpg_signing_key_path']`:
+
+   ```ruby
+   gitaly['gpg_signing_key_path'] = "/etc/gitlab/gitaly/signing_key.gpg"
+   ```
+
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+
+**For installations from source**
+
+1. [Create a GPG key](../../user/project/repository/gpg_signed_commits/index.md#create-a-gpg-key)
+   and export it. For optimal performance, consider using an EdDSA key.
+
+   ```shell
+   gpg --export-secret-keys <ID> > signing_key.gpg
+   ```
+
+1. On the Gitaly nodes, copy the key into `/etc/gitlab`.
+1. Edit `/home/git/gitaly/config.toml` and configure `signing_key`:
+
+   ```toml
+   [git]
+   signing_key = "/etc/gitlab/gitaly/signing_key.gpg"
+   ```
+
+1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source).
diff --git a/doc/administration/gitaly/reference.md b/doc/administration/gitaly/reference.md
index 91780ec5661..2542848c7a8 100644
--- a/doc/administration/gitaly/reference.md
+++ b/doc/administration/gitaly/reference.md
@@ -129,6 +129,7 @@ The following values can be set in the `[git]` section of the configuration file
 | ---- | ---- | -------- | ----------- |
 | `bin_path` | string | no | Path to Git binary. If not set, is resolved using `PATH`. |
 | `catfile_cache_size` | integer | no | Maximum number of cached [cat-file processes](#cat-file-cache). Default is `100`. |
+| `signing_key` | string | no | Path to [GPG signing key](configure_gitaly.md#configure-commit-signing-for-gitlab-ui-commits). If not set, Gitaly doesn't sign commits made using the UI. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/19185) in GitLab 15.4. |
 
 #### `cat-file` cache