On 3/10/2019 8:29 PM, Werner Koch wrote: > On Fri, 8 Mar 2019 20:05, johndoe65...@mail.com said: > >> What is the best way forward? >> - One signing key accessible on the release system > > I'd say depends on the release system. In most cases this is a > networked box and I would hesitate to do this. Using gpg --with a > remote gpg-agent would be an option, though. >
Looks like this approach is out of the question, we are scattered around the world without knowing eatch other in real life! :) >> - Eatch dev having a copy of the key to be able to sign a release > > That is what we do in GnuPG. We have a few core developers which carry > a key and that set of key is distributed with each gpg release and also > via other channels. We also demand that the keys are all smartcard based > and thus a remote key compromise would need physical access. Well, a > developer could be tricked into sign a bad release bu tat leas this > would not compromise the widely distributed key. > > We often add a second signature to a release. For example, I sign many > of the releases and when Niibe-san then sends me his signature for the > same tarball I then append that signature to mine [1]. This is also the > reasons why you often notice changed signature file (you can simply > concatenate detached signatures). For a small group this works really > well, but for a larger group the system Konstantin describes in his mail > is better up to the task. > Just to be clear, you Werner will sign everything that needs to be signed for a release with your personal key. As an extra layer of security Niibe will also sign the release and send you the detacht signature. Is that correct or what am I missing? Thank you Werner for your input, along with Werner's input I'd also like to thank the below two for their input: Daniel Kahn Gillmor <d...@fifthhorseman.net> Konstantin Ryabitsev <konstan...@linuxfoundation.org> -- John Doe _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users