Support trusting custom keys for custom bootstrap repositories. #38
Comments
I think the private keys for signing are already imported there so the remaining work is only to update the The way we're using the GPG agent, you can't actually share public keys. In fact, each user that accesses the vault must already have the public key that corresponds to the private key they wish to use. We could probably declare a common location to store public keys, but I don't think it can be done through the GPG vault's agent. |
|
Thanks for the context. It sounds like the repository user (jenkins-agent by default) should be the designated keeper of the public keys needed on the repository host and the gpg-vault user holds the private keys. |
It's currently possible to specify a custom bootstrap repository URL and signing key ID but it the cookbook does not directly support trusting custom keys.
The workaround available right now is to add your own recipe to the run list which imports the appropriate key after this cookbook is run.
Before we add this feature I'd like to work with @cottsay to see if we can/should move all GPG usage into the gpg-vault user and manage both public and private keys there.
The text was updated successfully, but these errors were encountered: