Adding GPG keys to Gitpod
It's actually fairly straightforward to add GPG keys to Gitpod. Do note that this is halfway secure, in that someone (Gitpod) does have access to your key, regardless of what you do. See the issues below for more on this topic.
⚠️ DO NOT upload your normal signing key that you care about. Create a new one.⚠️ These security warnings are in no way meant to suggest that the folks at Gitpod are untrustworth; in this author's opinion, quite the opposite. They're merely meant to highlight actual security in the limit.
- Export your private GPG key to Gitpod.
- copy the long address identifier from the output of
gpg --list-secret-keys - export and convert to base64 via
gpg --export-secret-keys <key-id> | base64 -w 0 | xsel -b
⚠️ Be sure to create a new key for this purpose and ensure it has an expiration date, see above!
- Save the GPG key in an environment variable in Gitpod
- Add the key via gitpod's CLI from a Gitpod terminal via
gp env GNUGPG='your-key'
- Update your
.gitpod.yamlfile
- Add the following to your Gitpod configuration file:
tasks:
- before: >
[[ ! -z $GNUPG_KEY ]] &&
gpg --verbose --batch --import <(echo $GNUPG_KEY|base64 -d) &&
echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf- Drop tha 🎤