Optimal workflow with GPG signatures from multiple parties

Andrew Gallagher andrewg at andrewg.com
Mon Mar 6 12:28:58 CET 2023

On 04/03/2023 17:18, Ave Milia via Gnupg-users wrote:
> What are some available solutions? How would you suggest to organize the keys? Maybe, there should be some signing server in-place, that the developers sends an artifact to?

I built something similar for $WORK. You lock down the signing server 
and use your preferred form of authentication to allow only your 
developers (and the build server) to submit an artifact for signature. 
This could be done using a simple REST API.

Once you have this in place, it would be easy to extend it with a second 
signing key for development purposes only, and make sure that only the 
production public key is distributed with your production artifacts. 
That way all your developers can get their dev builds signed, but only 
your build server and maybe your release manager have the credentials to 
sign with the production key. This could be done by linking the signing 
key to the user credentials, or by having two signing servers.


More information about the Gnupg-users mailing list