I'm trying to store my GPG private key in Jenkins so that I can use it to sign rpm packages and repositories. This works fine, but I'm not able to obfuscate the key so that it doesn't get displayed in the Jenkins logs. I've tried adding it as a Global Credential using the credentials plugins, however when I paste it in and then eyeball it using the icon off to the right I only see the top line ------ BEGIN PGP PRIVATE KEY BLOCK -----

Also (and I must be being really dumb here) when I cat the private key in my pipeline job I just see the ID of the key, instead of the actual secret!?

I thought maybe Jenkins was being clever and obfuscating the key, by replacing it with the ID but I tried "head" and "grep" and I still get the same thing.

Where is the best place to store a GPG private key in Jenkins?

First at all you need to store your GPG key as secret file in the Jenkins Credential Manager. You can also stored as a secret text but in this case I prefer to use a secret file.

Now, to import the key into your Jenkins Pipeline use the following code:

withCredentials([file(credentialsId: credentialId, variable: 'signingKey')])
{
    // copy the key to singkey.gpg file in *plain text* so we can import it
    sh ('cat $signingKey > $WORKSPACE/signkey.gpg')
    // import the key into the gpg keyring
    sh ('gpg --allow-secret-key-import --import signkey.gpg')
}

Maybe copy the gpg file into a plain text is not the best talking about security but it works for now.