On 2024-02-06 14:35:34 +0800 (+0800), Simon khng wrote: [...] > 3) Use 'password enabled key store' to prevent unauthorized access to > digital keys. > 4) Use 'password enabled signing' to prevent unauthorized usage of digital > keys. > The use of number 3 and 4 are the steps for developers to upload > application packages as part of the > verification process by Google for the 'Play store' used in Android OS > devices. [...] This is already a standard practice for anyone using OpenPGP/GnuPG keys. I personally know no one who keeps their developer private keys or subkeys unencrypted. That said, it's not enforceable (or detectable), so it can at best only be part of documented workflow process. There is no way to actually guarantee everyone follows it. In business, such things are confirmed (often badly) by independent audit. For a volunteer-driven community effort, we have to rely on everyone to exercise their best judgement in these sorts of matters. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature