Git Commit workflow that only commit when GPG is GPG signed from specific 3rd party

Here my scenario.  Is there a way so that when you git commit, it will only commit into the branch if the GPG key used as been GPG signed by a specific person or organization or 3rd party.

What I’m trying to do is that you can only commit with a GPG key AND that GPG key has been signed by a 3rd party organization (like a company or person) so that you can’t just use any GPG key (specifically one that has been self generated).

Example.   Albert has a GPG key.   david@microsoft.com has signed Albert’s GPG key.   Albert commits code with GPG key.  Since david@microsoft.com is a whitelisted GPG sign (set via project?)  on Albert’s GPG key, the commit goes through.   George has a GPG key.   No one has signed George’s GPG key or not on whitelisted GPG sign list.   George tries to commit and it is rejected.

Hi @alberttwong! :wave:

GitHub’s protected branches feature supports making a requirement that all commits be signed:

https://help.github.com/en/github/administering-a-repository/enabling-required-commit-signing

…but unfortunately that would allow people to use a self generated key so it doesn’t quite do the trick!

We’re always working to improve GitHub, and we consider every suggestion we receive, so perhaps you’d like to submit a feature request through our official product feedback form so that our product team can see exactly how you’d like signed commit enforcement on GitHub to work?