harningt
commented
9 years ago Key created:
pub 2048R/F8908096 2014-10-29 [expires: 2016-10-28]
Key fingerprint = B6CC 560D F1C0 991E 08AA 555A ED63 F369 F890 8096
uid Thomas Harning Jr (CODE SIGNING KEY) <harningt@gmail.com>-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFRRfC8BCADZuucfMfhKzBwYq18g8mSrXV2qz8QWBn6o1ASY+t/iJpOZePhW
j4A2ky4fb8inMoPb8t2+pVd5EqeRjDMgg0qd2kwDxf9djhJPZF2hkaU5knabyr4o
yeAZaujJ3L9CMU9PavX8pSfnFPGYdrxL7g3qRqdtsSI6Xzhd2zzGnwpbhS8PrBNW
tIYVLlNqhzAYRYEK+RcDkL1X2Prk5WepSOLnZqmblMZXJiGvQO7SgSnOPhtxLHnl
dHRiDUNtefNwRzXk0yWLNejrkdb9ta6opfZxZSVUN2F6qzSs6zUuKHCwri7zahkU
GYuaERcYnhjDpikMevNjJ4hcfjDRyNUOSnV3ABEBAAG0OVRob21hcyBIYXJuaW5n
IEpyIChDT0RFIFNJR05JTkcgS0VZKSA8aGFybmluZ3RAZ21haWwuY29tPokBPgQT
AQgAKAUCVFF8LwIbAwUJA8JnAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
7WPzafiQgJZSIAf/Rl2K61iGX5PiqLc7BX/7fGUqWVoEKw6108nSBLC6wcHyHLDS
/q30KWWJavjml99hLLirVkfgn+zZ89TSuV8s/dFlT//wQoZZvQHFf+JBv2m3KGqI
ypEErFjDlwh5FLfk9yO3B2CgUeYXH6NsywJOZ/fMXa+q7ys3v3OC+J3iryt1GTmv
fUiNTiHXYORIleBKBa/UfzpLdxi0G0FqUQxXyDUH+XEzcOkK7O2d67m6UfjANCKa
IAwtyFKxGROPPiqer9r7dS+92W7KYaHS/cFVIlvrhSnGLjsGw0vdGhfeK+5DyBA1
nDAaA6plGMt0sQmQY0FVy56vN1n2l2VnMWvKDA==
=3YjS
-----END PGP PUBLIC KEY BLOCK-----
A release signing key needs to be prepared and secured for Maven artifacts published by Gradle.
It turns out that Gradle implements artifact signing by calling out to OpenPGP support implemented in BouncyCastle rather than use the gpg executable present on the system. While this is useful in many ways - it prevents password caching / isolation, usage of subkeys, and even more important, keys stored on external tokens.
A new key will need to be devised that will be stored on an encrypted USB token that is only decrypted / mounted when necessary for code-signing... that way at least the key is typically separate from the machine.