Hopefully addresses the concerns raised in #5. I would submit that the ideal CI best practice is to AES encrypt the ASCII-armored passwordless private key. AES-256 with a non-default IV is going to be better encryption that GPG's password-protection anyway, and most CI servers are going to have built-in support for securely managing encrypted files (if your CI server doesn't support this, it's bad and you shouldn't use it). This best practice is what I have documented in the README, as well as adding a note explicitly calling out how the defaults are secure and precisely what you want for the publish-from-laptop strategy.
jodersky
commented
6 years ago
Hopefully addresses the concerns raised in #5. I would submit that the ideal CI best practice is to AES encrypt the ASCII-armored passwordless private key. AES-256 with a non-default IV is going to be better encryption that GPG's password-protection anyway, and most CI servers are going to have built-in support for securely managing encrypted files (if your CI server doesn't support this, it's bad and you shouldn't use it). This best practice is what I have documented in the README, as well as adding a note explicitly calling out how the defaults are secure and precisely what you want for the publish-from-laptop strategy.