tarball signing

Sandro KnauƟ sknauss at kde.org
Mon Jun 6 09:39:25 UTC 2016


Hey,

> Well, Albert and I use (the same user on) the same server to make releases.
> So the private key will have to be on that server, otherwise it will become
> very inconvenient (download, sign, upload).
> 
> But if that's good enough, and if we can tell gpg2 which private key to use
> (so he and I don't use the same), then we can proceed with the idea.

you don't need to have the privatekey on the server - We have gpg-agent and 
ssh - so you can forward the gpg-agent to the server when doing a release.  
That way the private keymatierial stays safe at your place:

https://www.isi.edu/~calvin/gpgagent.htm

Regards,

sandro


More information about the release-team mailing list