gpg --export and --export-secret-keys
gpg --export writes public keys and --export-secret-keys writes private keys, optionally ASCII-armored.
To get a signing key into a CI secret you export it once locally. --armor makes it a text block that pastes cleanly into a secret store.
What it does
gpg --export emits the public key for the named identifiers; gpg --export-secret-keys emits the secret key. With --armor the output is ASCII-armored text rather than binary, which is what you paste into a CI secret.
Common usage
# armored public key for verification on the runner
gpg --armor --export you@example.com > pubkey.asc
# armored secret key to store as a CI secret
gpg --armor --export-secret-keys you@example.com > private.asc
# binary export of one key by fingerprint
gpg --export-secret-keys ABCD1234 > private.gpgOptions
| Flag | What it does |
|---|---|
| --export | Export public keys |
| --export-secret-keys | Export secret (private) keys |
| --export-secret-subkeys | Export subkeys only, leaving the primary offline |
| --armor / -a | ASCII-armor the output (text, not binary) |
| --output <file> / -o | Write to a file instead of stdout |
In CI
Export with --armor so the secret is a single text block, then store the whole block (including the BEGIN/END lines) in the secret. On the runner, pipe it back into gpg --batch --import. For tighter security, export only --export-secret-subkeys so the offline primary key never touches CI.
Common errors in CI
"gpg: WARNING: nothing exported" means the key identifier matched nothing; check the email or fingerprint with --list-secret-keys. Exporting a secret key may prompt for the passphrase; in scripts add --batch --pinentry-mode loopback --passphrase-fd to supply it. Without --armor you get binary that breaks if pasted as text.