Initial commit

Add first few steps in README and echo gpg key

Initial commit
Add first few steps in README and echo gpg key
34e9fd6d · Frank Sauerburger · 34e9fd6d · 34e9fd6d
Unverified Commit 34e9fd6d authored 7 years ago by Frank Sauerburger
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+
+main:
+  image: ubuntu:16.04
+  script:
+    - apt-get update
+    - apt-get install -y gnupg2
+    - date > message
+    - echo $GPG_KEY
+    - echo $GPG_KEY | gpg --import
+    - gpg --detach-sign -a message
+
+  artifacts:
+    expire_in: 1 day
+    paths:
+     - "message*"
--- a/README.md
+++ b/README.md
+# How sign build artifacts in a CI job
+
+1. Find id of signing subkey
+    ```bash
+    $ gpg2 --edit-key sign-in-ci@example.com
+
+    pub  1024R/C695522A  created: 2017-12-30  expires: never       usage: SC  
+                         trust: ultimate      validity: ultimate
+    sub  1024R/98DDF87E  created: 2017-12-31  expires: never       usage: S   
+    sub  1024R/07CDDCEB  created: 2017-12-31  expires: never       usage: E   
+    [ultimate] (1). Example <sign-in-ci@example.com>
+    ```
+    For this example, we want to use the subkey with the id `98DDF87E`.
+
+2. Export signing subkey
+
+    ```bash
+    $ gpg2 --armor --output sign-key.asc --export-secret-subkey 98DDF87E!
+    ```
+    Please not the traling exclamation mask.
+
+3. In order to remove the password protection, we have to copy it to a docker
+    container, import it, remove the password and export the whole key again.
+
+    ```bash
+    $ docker cp sign-key.asc 8765:/
+    8765# gpg --import sign-key.asc
+    8765# gpg --edit-key
+    > passwd
+    > save
+    8765# gpg --edit-key
+    8765# gpg --armor --output sign-key-unprotected.asc --export-secret-key sign-in-ci@exapmle.com
+    $ docker cp 8765:sign-key-unprotected.asc .
+
+4. Add a protected secret CI variable `$GPG_KEY` and paste the contents of
+    `sign-key-unprotected.asc`.
+
+5. Setup [CI](.gitlab-ci.yml]