Am 30.10.2011 19:13, schrieb Daniel Isenmann:
On Sun, 30 Oct 2011 19:04:51 +0100 Giovanni Scafora <giovanni@archlinux.org> wrote:
Il 30/10/2011 18:56, Daniel Isenmann ha scritto:
I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right?
You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command.
You can also use commitpkg (as in extrapkg, testingpkg etc.) to sign the file if you put the package into your build tree.
Downloading them locally isn't really a solution. Too low bandwidth and most of the time I don't build the packages from home.
If dbscripts get updated without pkgbuild.com supports signing, then I can't build packages.
I am sorry, but I have no solution for this atm. And who knows how long it takes until gpg is able to do key forwarding and remote signing. So I don't feel we should wait for that. And honestly: the build server with that much people having root access is quite a problem anyway. Also if you don't even download (and install) some your own packages, maybe a better solution would be to find someone else to maintain them. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com