Skip to content
Latchkey

gpg --export and --export-secret-keys

gpg --export writes public keys and --export-secret-keys writes private keys, optionally ASCII-armored.

To get a signing key into a CI secret you export it once locally. --armor makes it a text block that pastes cleanly into a secret store.

What it does

gpg --export emits the public key for the named identifiers; gpg --export-secret-keys emits the secret key. With --armor the output is ASCII-armored text rather than binary, which is what you paste into a CI secret.

Common usage

Terminal
# armored public key for verification on the runner
gpg --armor --export you@example.com > pubkey.asc
# armored secret key to store as a CI secret
gpg --armor --export-secret-keys you@example.com > private.asc
# binary export of one key by fingerprint
gpg --export-secret-keys ABCD1234 > private.gpg

Options

FlagWhat it does
--exportExport public keys
--export-secret-keysExport secret (private) keys
--export-secret-subkeysExport subkeys only, leaving the primary offline
--armor / -aASCII-armor the output (text, not binary)
--output <file> / -oWrite to a file instead of stdout

In CI

Export with --armor so the secret is a single text block, then store the whole block (including the BEGIN/END lines) in the secret. On the runner, pipe it back into gpg --batch --import. For tighter security, export only --export-secret-subkeys so the offline primary key never touches CI.

Common errors in CI

"gpg: WARNING: nothing exported" means the key identifier matched nothing; check the email or fingerprint with --list-secret-keys. Exporting a secret key may prompt for the passphrase; in scripts add --batch --pinentry-mode loopback --passphrase-fd to supply it. Without --armor you get binary that breaks if pasted as text.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →