All posts
September 12, 20251 min read

Fixing GPG and Zscaler Conflicts in CI/CD Pipelines

Our GPG keys had expired. The Zscaler tunnel was dropping traffic. Deployments froze mid-push, and the pipeline was dead. If you’ve paired GPG with Git for commit signing, and your network runs through Zscaler, you know the dance. One part cryptography. One part network inspection. And when they get out of sync, nothing moves. What breaks Most failures come down to Zscaler intercepting or blocking encrypted traffic during GPG key verification, especially when using keyservers over HKP or HTTPS

Free White Paper

CI/CD Credential Management + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Our GPG keys had expired. The Zscaler tunnel was dropping traffic. Deployments froze mid-push, and the pipeline was dead.

If you’ve paired GPG with Git for commit signing, and your network runs through Zscaler, you know the dance. One part cryptography. One part network inspection. And when they get out of sync, nothing moves.

What breaks
Most failures come down to Zscaler intercepting or blocking encrypted traffic during GPG key verification, especially when using keyservers over HKP or HTTPS. Some teams hit problems exporting keys. Others see commits rejected because the signature can’t be validated. This can happen with SSH-over-HTTPS as well if Zscaler intermediates TLS.

Why it happens
GPG depends on clean, unmodified packets to verify or fetch keys. Zscaler’s SSL inspection inserts itself between your client and the outside server, re-signing traffic with its own certificate. If you haven’t imported Zscaler’s root cert into your local GPG environment—or if the proxy blocks the keyserver entirely—your workflow stalls.

Continue reading? Get the full guide.

CI/CD Credential Management + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How to fix it fast

  • Point GPG to a keyserver reachable over a Zscaler-allowed port and protocol. WKD (Web Key Directory) over HTTPS can work if the Zscaler cert is trusted.
  • Import Zscaler’s root CA into your OS trust store so GPG recognizes inspected HTTPS traffic.
  • Consider hosting an internal SKS, Hagrid, or Hockeypuck keyserver within your Zscaler perimeter and configure dirmngr to query it.
  • Check that ~/.gnupg/dirmngr.conf includes the right proxy and disables unnecessary HKP lookups if blocked.

Best practices
Regenerate keys before they expire so you’re not forced into an after-hours rebuild. Automate key distribution internally. Audit Zscaler SSL policies to whitelist traffic to critical endpoints. Keep your GPG version up to date.

The goal is simple: ensure GPG and Zscaler work together, so your CI/CD pipelines keep running no matter the network inspection policies. The longer they’re in conflict, the more you bleed delivery speed.

You can get a working proof-of-concept that signs commits, passes through Zscaler, and deploys clean—without manual patches—by trying it on hoop.dev. Build the live, pipelined workflow in minutes and skip the all-night firefight.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts