[arch-general] Is it secure to just sign repository databases?

Hello, I run a repository locally that I would like to share to the public. The build is mostly automated. That's why I don't want to sign each individual package. The private key is not stored on the build machine and I want to sign the resulting stuff externally. The easiest way would be actually to just manually sign the database file. As this file includes all checksums of the individual packages, I think this is as secure as signing every package, right? Thanks in advance Manuel