Multiple dev one signing key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Mar 10 00:05:35 CET 2019


On Fri 2019-03-08 20:05:53 +0100, john doe wrote:

> I'm considering working  on a project that has only for now a couple of
> developers.
> As part of that project everything that will be released will need to be
> gpg signed.
>
> What is the best way forward?
> - One signing key accessible on the release system
> - Eatch dev having a copy of the key to be able to sign a release
> - Other suggestions
>
> In other words: What is, if any, the best way to sign a file, when the
> same key is to be used by multiple persons.

This really depends on the development workflow and practices of your
team, and the security requirements of your users.  So there's no one
clear answer.

 * Does your team have a single release manager, who is responsible for
   deciding when a release is fully-baked?  If so, let the release
   manager hold the signing key, and no one else.

 * Do many different people cut releases in your team?  If so, you
   could:

    a) share a secret signing-capable subkey among all the people who
       make releases

    b) if the primary key is signing-capable, share the associated
       secret key among all the people who make releases.

    c) make an OpenPGP certificate with multiple signing-capable
       subkeys, one per release operator

 * Do you you need *multiple* people to sign off on a release?  In that
   case, you might need some fancier approach (or you might need to
   modify how your users or downstreams are expected to verify the
   releases).

Does this make sense?  Sorry to not have One True Answer™ for you!

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190309/dfb05470/attachment.sig>


More information about the Gnupg-users mailing list