Storing GPG Public Keys in Git | Generated by AI
Question: Can we save a .gpg public key file in a Git repository?
Answer:
Yes, it is safe and often recommended to store GPG public key files (typically exported as .asc or .gpg ASCII-armored files) in a Git repository.
GPG public keys are designed to be shared widely—this is fundamental to how asymmetric encryption works. Distributing your public key allows others to encrypt data for you or verify your signatures. There are no significant security risks in committing a public key to a Git repo, whether public or private:
- No sensitive information is exposed (the private key remains secret).
- It facilitates team workflows, such as verifying signed commits/tags or allowing tools like
git-secretto encrypt secrets using team members’ public keys. - Common practices include storing maintainer/developer public keys in repositories for offline or firewalled environments, or embedding them as Git objects/blobs for verification.
Important warnings:
- Never commit the private key (or secret keyring)—this would be a severe security breach.
- If the repository is public, widely distributing the public key is fine, but ensure the key’s associated email/identity matches your needs.
- For critical projects, pin the key by its fingerprint rather than relying solely on the file to avoid potential tampering (though this is rare in practice).
This is standard in open-source projects and supported by platforms like GitHub/GitLab, where public keys are routinely shared or uploaded for commit verification.
References:
- Reddit discussion on storing PGP public keys in repos
- Stack Overflow: Sharing public key in Git repo for signing verification
- GitHub Docs: Adding a GPG key
- Information Security Stack Exchange: Storing GPG encrypted data publicly