yegor256
Reputation: 105133
Where to keep a GPG secret key for a Maven project in CI environment?
I'm trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key secring.gpg:
- In continuous integration
~/.gnupgdirectory - In project source code, e.g.
src/test/resources/gpg/secring.gpg
And why?
Upvotes: 6
Views: 1667
Answers (1)
Victor Sorokin
Reputation: 12006
If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.
Upvotes: 3
Related Questions
- Use of key file in Google Secret Manager
- gpg no default secret key error using maven
- Select the GnuPG key used in maven-gpg-plugin
- Alternative for GPG signature to publish JAR in maven central
- Trying to encrypt gpg password in settings.xml
- Automated GnuPG key generation during maven deployment does not export secret key
- How to select the GnuPG key that the maven-gpg-plugin uses to sign artifacts?
- Where to keep private keys in web deployments?
- Where to store private keys for a continuous integration (CI) deployment?
- Where to keep a GPG secret key for Jenkins running on Windows?