On my Debian 3.2.54-2 build server I'd like to sign the build artifacts (JAR files) with my private key to ensure their authenticity.
I've created a private key secring.gpg using GnuPG and protected it with a password. I'm using Jenkins and Gradle for automated building and signing.
I have to pass Gradle the location of secring.gpg so it can sign the JARs, but I'm not sure where to put it.
Are there any conventions or best practices regarding this?
I've browsed the related questions and googled the question but that didn't yield any answers to me.
I'm new to security related topics, so if I can provide any additional information, please let me know.
Thanks.
The only thing close to a "standard" in this regard would be to put your keyring in a dotfolder within the home directory of whatever user needs access to it.
Ensure that permissions are set such that only the user in question has read/write access to the file.