On Fri 2019-03-08 20:05:53 +0100, john doe wrote: > I'm considering working on a project that has only for now a couple of > developers. > As part of that project everything that will be released will need to be > gpg signed. > > What is the best way forward? > - One signing key accessible on the release system > - Eatch dev having a copy of the key to be able to sign a release > - Other suggestions > > In other words: What is, if any, the best way to sign a file, when the > same key is to be used by multiple persons.
This really depends on the development workflow and practices of your team, and the security requirements of your users. So there's no one clear answer. * Does your team have a single release manager, who is responsible for deciding when a release is fully-baked? If so, let the release manager hold the signing key, and no one else. * Do many different people cut releases in your team? If so, you could: a) share a secret signing-capable subkey among all the people who make releases b) if the primary key is signing-capable, share the associated secret key among all the people who make releases. c) make an OpenPGP certificate with multiple signing-capable subkeys, one per release operator * Do you you need *multiple* people to sign off on a release? In that case, you might need some fancier approach (or you might need to modify how your users or downstreams are expected to verify the releases). Does this make sense? Sorry to not have One True Answerâ„¢ for you! --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users