Menu
I'm trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key secring.gpg:
~/.gnupg directorysrc/test/resources/gpg/secring.gpg
And why?
561
If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
