Multiple dev one signing key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Mar 10 00:05:35 CET 2019
On Fri 2019-03-08 20:05:53 +0100, john doe wrote:
> I'm considering working on a project that has only for now a couple of
> developers.
> As part of that project everything that will be released will need to be
> gpg signed.
>
> What is the best way forward?
> - One signing key accessible on the release system
> - Eatch dev having a copy of the key to be able to sign a release
> - Other suggestions
>
> In other words: What is, if any, the best way to sign a file, when the
> same key is to be used by multiple persons.
This really depends on the development workflow and practices of your
team, and the security requirements of your users. So there's no one
clear answer.
* Does your team have a single release manager, who is responsible for
deciding when a release is fully-baked? If so, let the release
manager hold the signing key, and no one else.
* Do many different people cut releases in your team? If so, you
could:
a) share a secret signing-capable subkey among all the people who
make releases
b) if the primary key is signing-capable, share the associated
secret key among all the people who make releases.
c) make an OpenPGP certificate with multiple signing-capable
subkeys, one per release operator
* Do you you need *multiple* people to sign off on a release? In that
case, you might need some fancier approach (or you might need to
modify how your users or downstreams are expected to verify the
releases).
Does this make sense? Sorry to not have One True Answer™ for you!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190309/dfb05470/attachment.sig>
More information about the Gnupg-users
mailing list