Multiple dev one signing key

[john doe]

On 3/10/2019 8:29 PM, Werner Koch wrote:
> On Fri,  8 Mar 2019 20:05, johndoe65534 at mail.com said:
>
>> What is the best way forward?
>> - One signing key accessible on the release system
>
> I'd say depends on the release system.  In most cases this is a
> networked box and I would hesitate to do this.  Using gpg --with a
> remote gpg-agent would be an option, though.
>

Looks like this approach is out of the question, we are scattered around
the world without knowing eatch other in real life! :)

>> - Eatch dev having a copy of the key to be able to sign a release
>
> That is what we do in GnuPG.  We have a few core developers which carry
> a key and that set of key is distributed with each gpg release and also
> via other channels.  We also demand that the keys are all smartcard based
> and thus a remote key compromise would need physical access.  Well, a
> developer could be tricked into sign a bad release bu tat leas this
> would not compromise the widely distributed key.
>
> We often add a second signature to a release.  For example, I sign many
> of the releases and when Niibe-san then sends me his signature for the
> same tarball I then append that signature to mine [1].  This is also the
> reasons why you often notice changed signature file (you can simply
> concatenate detached signatures).  For a small group this works really
> well, but for a larger group the system Konstantin describes in his mail
> is better up to the task.
>

Just to be clear, you Werner will sign everything that needs to be
signed for a release with your personal key.
As an extra layer of security Niibe will also sign the release and send
you the detacht signature.

Is that correct or what am I missing?


Thank you Werner for your input, along with Werner's input I'd also like
to thank the below two for their input:
Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Konstantin Ryabitsev <konstantin at linuxfoundation.org>

--
John Doe