On 2018-06-13, Dominik Psenner wrote: > As far as I can tell, the secrets stored in jenkins.a.o are > trustworthy. For instance I used a github access token generated from > my github account that grants jenkins access to the log4net-logging > repository on github. I am convinced that nobody else can steal that > token without logging in to jenkins using my credentials. Stefan, > would you please elaborate the reasonings of why you do not trust pgp > signatures issued by builds.a.o?
Maybe just because I'm paranoid. How would you store the private part of a PGP key in Jenkins in a way that cannot be compromised by people who log in to Jenkins or a malicious Jenkins addon that gets installed? Stefan
