On Sat, 2025-05-03 at 09:35 -0400, Pocket wrote:
So my questions are as follows
1.
Answered by pocket.
2. I would like to sign the packages in the custom repository.
I have built this into my package building / repo toolkit. While I have shared a lot of my tools in the aur I have not yet released these ones. At some point I probably will. That said. The idea is each repository has its own repo database files. True for official repos as well as self managed. They are the same. For example teh repo database files are found in <repo>/os/x86_64/*db* where the repo name is <repo> - be it "core" "core-testing" or "my- repo". The relevant files, using core-testing as example, (replace core- testing with whatever your repo name is that you want to sign) core-testing.db core-testing.db.tar.gz.old core-testing.db.sig core-testing.db.tar.gz.sig core-testing.db.tar.gz The "old" ones are just previous ones from repo-add/repo-remove. Ignore those. You probably use zstd compression for your own repo (I do) so all ".gz" would be ".zst". We have "core-testing.db" which is a symlink to core-testing.db.tar.gz so ignore this as well. The actual database file is core-testing.db.tar.gz and this is what must be signed - once its signed the signature file is core-testing.db.tar.gz.sig You need to have a symlink for the sig too (just like for the database file). core-testing.db.sig (symlink) -> core-testing.db.tar.gz.sig In a nutshell (adjust repo-name and comrpession extension as appropriate): (a) sign: <repo-name>db.tar.zst ==> <repo-name>db.tar.zst.sig (b) symlink: ln -s <repo-name>db.tar.zst.sig <repo-name>db.sig To sign the database file, use gpg (or sequoia sq if you prefer) with detached sig. Something like: gpg --detach-sign --no-armor -u <your-gpg-uid> Hope that helps. -- Gene