How are you supposed to do git signed commits/tags without putting gpg private keys on your development box/account?!
-
-
-
Unfortunately subkeys don't solve the problem when I seem to need the tags signed by the more-trusted key...
-
What I want is a way to process the signing request on a secure remote with minimal attack surface.
-
does "export remote filesystem via sshfs to the trusted box and sign" count?
-
No, because the trusted box should not be processing complex data like a git repo, only the text to be signed.
-
I see. git offers gpg.program config so you'd have to provide a stub to forward the request to the trusted host
-
I'm trying to do that, but getting stdin/out to work AND getting a pty for passphrase entry is quite difficult.
-
I'd try to wire local pinentry to remote gpg --*-fd options, but it I assume getting that right could be tricky
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.