Create a new GPG key for building repository

RangHo / repository

Personal package repository, powered by GitHub Actions and Netlify.

https://by.rangho.dev/repository

2 stars 0 forks source link

Create a new GPG key for building repository #9

Open RangHo opened 5 months ago

RangHo commented 5 months ago

Most package managers require proper signing if they are accessed from the internet.

Adding a shared GPG key in GitHub secrets store should allow automatic building and signing of those packages. Then, keys can be distributed via a separate keyserver such as Keybase (apparently it's still live).

RangHo commented 2 months ago

The public and private keypair is available as GitHub Secrets; use them by accessing RANGHO_REPOSITORY_SIGNING_PGP_PRIVATE and RANGHO_REPOSITORY_SIGNING_PGP_PUBLIC secret items, respectively.

A separate PEM formatted key is available: RANGHO_REPOSITORY_SIGNING_PEM.

I need to figure out where to host the public key for users to verify against, though.