Where to keep a GPG secret key for a Maven project in CI environment?

Question

I'm trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key secring.gpg:

In continuous integration ~/.gnupg directory
In project source code, e.g. src/test/resources/gpg/secring.gpg

And why?

score 3 · Accepted Answer · answered Dec 22 '10 at 17:48

3

If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.

answered Dec 22 '10 at 17:48

Victor Sorokin

11,878
2
35
51

Anyone with access to the CI server will be able to read the key through it. – Christoffer Hammarström Dec 22 '10 at 19:37
With access to server and with access to ~/.gnupg, that is. But my answer was based on assumption that not every developer will have access to server and/or server's user under which CI is running. – Victor Sorokin Dec 22 '10 at 19:45
2

anyone who can commit a unit test can get access to it (though in that case it might be obvious they did) – Brett Porter Dec 22 '10 at 22:07
2

Not at all. Permission for a commit is not connected in any reasonable way to permission to have access to directory of user who runs CI server. – Victor Sorokin Dec 22 '10 at 22:31
@VictorSorokin A malicious unit test can read the secret key, doesn't it? – Filippo De Luca Jun 07 '14 at 13:42
Not necessary -- perms on `~/.gnupg` may be restrictive enough to protect against this. It depends on CI server setup, really. – Victor Sorokin Jun 09 '14 at 10:29

Where to keep a GPG secret key for a Maven project in CI environment?

1 Answers1

Linked