Deploy GPG Keypairs with Reis (Flag Mode)
Create and manage GPG keypairs directly from the command line using Reis flag-mode commands.
Create and manage GPG keypairs directly from the command line using Reis flag-mode commands.
Create a GPG keypair
reis gpg_keypair:create \
--name "Artifact Signing Key" \
--handle signing-key \
--public_key_file ./keys/signing.pub.asc \
--private_key_file ./keys/signing.sec.ascBoth the public key and private key files are required (ASCII-armoured GPG format). The handle must be DNS-1123 compliant (lowercase alphanumeric and hyphens, max 63 characters).
List GPG keypairs
reis gpg_keypair:listShows a table with handle, name, key ID, algorithm, and creation date for each keypair.
Show details
reis gpg_keypair:show <keypair-id>Displays the full metadata including fingerprint, user ID, and expiry date.
Rotate key material
reis gpg_keypair:rotate <keypair-id> \
--public_key_file ./keys/new-signing.pub.asc \
--private_key_file ./keys/new-signing.sec.ascCreates a new version and marks it current. The previous version is retained for rollback.
List versions
reis gpg_keypair:versions <keypair-id>Activate a previous version (rollback)
reis gpg_keypair:activate_version <keypair-id> <version-number>Delete a GPG keypair
reis gpg_keypair:delete <keypair-id>Add --force to skip the confirmation prompt. Deleting removes all versions, project attachments, and container wiring.
Attach to a project
reis project:attach <project-id> gpg_keypairs signing-keySingular alias gpg_keypair is also accepted. The project-id is the UUID Reis returns from project:list or project:show.
Detach from a project
reis project:detach <project-id> gpg_keypairs signing-keyIf a running container still mounts the keypair, detach is rejected with a 409 naming the blocking container — tear it down (or remove its gpg_keypairs block) and retry.