I am working on a project where the software does cryptographic operations with a GPG binary. Some functions have PGP encrypted output, and some take PGP encrypted input.
In order to unit test, my plan is to generate a passwordless key for unittest@project.example.com and include it in the repo. This will (naturally) make the key unsuitable for production use, but that's fine as users are expected to generate/use their own key.
Now to my question. If the key is included in the repository, anyone can upload it to a key server, use it to sign his/her own key, or revoke it (and upload the revocation). GPG can download keys from key servers automatically, and it seems unwise to have such a key (where the private key is public knowledge) in ones personal keyring.
Is it possible to upload a revoked version of the key to a key server (so no-ones keychain will trust it) and include a version of the key in the repo where the key is not revoked? Would that address the issue of the key appearing and be trusted in a personal keychain, while still allowing for unit testing with the same key?
Aucun commentaire:
Enregistrer un commentaire