Optimal workflow with GPG signatures from multiple parties
andrewg at andrewg.com
Mon Mar 6 12:28:58 CET 2023
On 04/03/2023 17:18, Ave Milia via Gnupg-users wrote:
> What are some available solutions? How would you suggest to organize the keys? Maybe, there should be some signing server in-place, that the developers sends an artifact to?
I built something similar for $WORK. You lock down the signing server
and use your preferred form of authentication to allow only your
developers (and the build server) to submit an artifact for signature.
This could be done using a simple REST API.
Once you have this in place, it would be easy to extend it with a second
signing key for development purposes only, and make sure that only the
production public key is distributed with your production artifacts.
That way all your developers can get their dev builds signed, but only
your build server and maybe your release manager have the credentials to
sign with the production key. This could be done by linking the signing
key to the user credentials, or by having two signing servers.
More information about the Gnupg-users