In order to ensure the chain of custody for builds which are done on Circle-CI, especially for projects without reproducible builds, we need cryptographic signatures.
Ideally, Circle-CI would generate a per-project (repo) private RSA key, which is a subkey or a key that is signed by Circle-CI’s master key. With this key, ideally it would generate detached signatures for all the artifacts, in order to ensure that the artifacts stay uncompromised.
Right now, this functionality can be emulated like so: https://github.com/mesosphere/mesos-dns/blob/master/circle.yml – where we have a PASSPHRASE for a private key we ship with the repo, in order to ensure the chain of custody. This has two problems: (1) A member of the project who generated this key could lose it, or accidentally leak it (2) Exfiltration of the environment variable could occur by accident.
An alternative strategy, which is even more powerful would be to load something like
gpg-agent with the project’s private key(s), and allow the user to use gpg all they want.