Where to keep a GPG secret key for a Maven project in CI environment?

Question

I\'m trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key

Answer 1

If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.