Hi list,
We have a build server, it stores a private key and is capable of signing the
resulting build artifact. The artifact then gets verified in the target
environment during installation. There are multiple issues with current
approach:
1. A random developer cannot trigger a build on the
Ave Milia via Gnupg-users wrote:
Logically, it probably should not be as simple as the developer deploying their
personal public key into the target environment and then signing their
artifact, for two reasons: the target environment gets wiped, and it
practically cannot account for all
