On 04/03/2023 17:18, Ave Milia via Gnupg-users wrote:
What are some available solutions? How would you suggest to organize the keys?
Maybe, there should be some signing server in-place, that the developers sends
an artifact to?
I built something similar for $WORK. You lock down the signing
Ave Milia via Gnupg-users wrote:
Logically, it probably should not be as simple as the developer deploying their
personal public key into the target environment and then signing their
artifact, for two reasons: the target environment gets wiped, and it
practically cannot account for all
Hi list,
We have a build server, it stores a private key and is capable of signing the
resulting build artifact. The artifact then gets verified in the target
environment during installation. There are multiple issues with current
approach:
1. A random developer cannot trigger a build on the
