How to limit pushing operation to allow only commits that are signed with GPG in github

Question

I've a Github repository we share for our development. To ensure the integrity we decided to sign our commits and tags with GPG.

Now, how do I prevent developers from pushing unsigned commits to our repository in Github and also white-list GPG public keys to allow pushing commits singed with white-listed public keys

I checked out some pre-pushing hooks but didn't work out the way I described above and here it is.

remote="$1"
url="$2"

z40=0000000000000000000000000000000000000000

IFS=' '
while read local_ref local_sha remote_ref remote_sha
do
    if [ "$local_sha" = $z40 ]
    then
    # Handle delete
    else
    if [ "$remote_sha" = $z40 ]
    then
        # New branch, examine all commits
        range="$local_sha"
    else
        # Update to existing branch, examine new commits
        range="$remote_sha..$local_sha"
    fi

    # Check for WIP commit
    commit=`git rev-list -n 1 --grep '^WIP' "$range"`
    if [ -n "$commit" ]
    then
        echo "Found WIP commit in $local_ref, not pushing"
        exit 1
     fi
    fi
 done
exit 0

How can I get this done? Any notion or examples would be highly appreciated.

Answer 1

It looks like you are on GitHub Enterprise and trying to create a pre-receive hook script that rejects any unsigned commits - correct? If so, here is an open source GPG script from GitHub. If you are on GitHub.com, please note they do not support pre-receive hooks and instead you would want to set up a protected branch with required status check to reject unsigned work.

As for setting up keys, have you checked out this article?