Optimal workflow with GPG signatures from multiple parties

Jacob Bachmeyer jcb62281 at gmail.com
Sun Mar 5 02:17:40 CET 2023

Ave Milia via Gnupg-users wrote:

> Logically, it probably should not be as simple as the developer deploying their personal public key into the target environment and then signing their artifact, for two reasons: the target environment gets wiped, and it practically cannot account for all personal keys of all the developers; and then there is not much difference versus giving the developer direct access to the main private key.

Er, I may be mistaken here, but I understand that if any of the code you 
distribute is GPLv3, installing a personal public key into the target 
environment is exactly what you are required to permit.  (Or the 
"Installation Instructions" required under section 6 of the GPLv3 can 
include the main private key, your choice.)  The only way you get out of 
this is if you are not actually distributing code and this whole 
scenario is internal to some organization.

> What are some available solutions? How would you suggest to organize the keys? Maybe, there should be some signing server in-place, that the developers sends an artifact to?

Since you are asking on a list for GPG users, I suspect you are likely 
using GPG to verify artifacts in the target environment, and therefore 
need to comply with GPLv3... addressing that first may solve your problem.

-- Jacob

More information about the Gnupg-users mailing list