On 04/03/2023 17:18, Ave Milia via Gnupg-users wrote:
What are some available solutions? How would you suggest to organize the keys? Maybe, there should be some signing server in-place, that the developers sends an artifact to?
I built something similar for $WORK. You lock down the signing server and use your preferred form of authentication to allow only your developers (and the build server) to submit an artifact for signature. This could be done using a simple REST API.
Once you have this in place, it would be easy to extend it with a second signing key for development purposes only, and make sure that only the production public key is distributed with your production artifacts. That way all your developers can get their dev builds signed, but only your build server and maybe your release manager have the credentials to sign with the production key. This could be done by linking the signing key to the user credentials, or by having two signing servers.
A _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
