I guess I'm not submitting new versions of my personal libs for a while, given that Maven Central requires signing files, and signing within GitLab CI is just begging for someone to steal the keys. Hopefully someone builds an alternative soon.

an alternative to requiring signing artifacts?

An alternative to JCenter.

jitpack is about as scrappy as it comes, might be relevant

JitPack is a real PITA, broken by design and unreliable as hell. It's not a real alternative to proper publishing.

gitlab ci supports secrets - variables can only be seen by maintainers

I think Campbell was worried about someone hacking GitLab or their hardware

indeed it does, but I'd rather not shove an entire gnupg configuration through an environment variable

and do what, perform rogue uploads to central? they'd have to hack that too, and you're in the same boat with jcenter/bintray

I can't envision a reasonable way to pack up an entire gnupg configuration, keyring and all, into an environment variable

encrypted keyring in storage (aws or whatever), secret api key and passphrase

image.png

right, so just

echo "${SECRET_KEY}" | gpg --import

before your build like https://gitlab.sauerburger.com/frank/sign-in-ci demonstrates

noted, thanks

and https://docs.gitlab.com/ee/ci/variables/#protect-a-custom-variable

yeah, i used CI env vars for my bintray key already