Git Commit workflow that only commit when GPG is GPG signed from specific 3rd party

Here my scenario.  Is there a way so that when you git commit, it will only commit into the branch if the GPG key used as been GPG signed by a specific person or organization or 3rd party.

What I’m trying to do is that you can only commit with a GPG key AND that GPG key has been signed by a 3rd party organization (like a company or person) so that you can’t just use any GPG key (specifically one that has been self generated).

Example.   Albert has a GPG key. has signed Albert’s GPG key.   Albert commits code with GPG key.  Since is a whitelisted GPG sign (set via project?)  on Albert’s GPG key, the commit goes through.   George has a GPG key.   No one has signed George’s GPG key or not on whitelisted GPG sign list.   George tries to commit and it is rejected.

Hi @alberttwong! :wave:

GitHub’s protected branches feature supports making a requirement that all commits be signed:

…but unfortunately that would allow people to use a self generated key so it doesn’t quite do the trick!

We’re always working to improve GitHub, and we consider every suggestion we receive, so perhaps you’d like to submit a feature request through our official product feedback form so that our product team can see exactly how you’d like signed commit enforcement on GitHub to work?