Listing the keys in the used in the repository.

nautilus-cyberneering / secure-git-guide

A collections of articles about Git, GitHub and GPG focused on security.

https://secure-git.guide

8 stars 5 forks source link

Listing the keys in the used in the repository. #9

Open da2ce7 opened 2 years ago

da2ce7 commented 2 years ago

Bitcoin has a file within their repository that lists the GPG key-fingerprints that are used by the developers and builders.

https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys

This is a good way to authenticate a new developer for the project.

I think that the GPG-Bootcamp could explain how to upload a key to the keysever, and request for listing in the keys.txt file.

cgbosse commented 2 years ago

I looked at the link and repo. This can be implemented. However, given that we have 18 repositories to date I think that we should use a central file for this and have it in the organization repository.

One question though: The yellow part in the screenshot we do not need, ¿correct? Each ones key is imported into GitHub from his profile.

josecelano commented 2 years ago

This is related to a new article proposal I have added.

With the keys.txt file you can get the list of public keys. And you can use a Git Tag to obtain the public key instead of using an external GPG server like http.

I do not know the pros and cons of using your own key server vs a well-known one.

cc @da2ce7