问题
I'm trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key secring.gpg:
- In continuous integration
~/.gnupgdirectory - In project source code, e.g.
src/test/resources/gpg/secring.gpg
And why?
回答1:
If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.
来源:https://stackoverflow.com/questions/4511954/where-to-keep-a-gpg-secret-key-for-a-maven-project-in-ci-environment