Who can add a gpg key?

[mirisbowring]

I did not find a documentation for it.

who can add an gpg user?

If e.g. git-crypt is already initiated, do i have to unlock it before adding additional users or can a user just plant his public key there and be able to decrypt future commits?

[alerque]

The security of your repository is 100% limited by who has write access to the directory it is hosted or remote commit access to it. If you are not securing those things you are toast.

Yes anybody with write access to the directory or that can sent their own commits and get them integrated can add their own GPG keys and be able to read future commits that touch encrypted files. Additionally (as is already called out in the README) they could just edit the .gitattributes file and cause the files to be decrypted the next time you touch them and not encrypt them again on commit, another venue for leaking data.

The contents of the encrypted blob are secure, but typically in a local checkout on your machine you will have the secrets unlocked anyway. For remote repositories presumably either people don't have access to tamper with the file system and/or you manage what commits gets merged and used in production. Those safeguards are up to you to enforce.