Ok, have tested the package signing feature from Dan's pacman git. (Thanks Allan for the hint with --disable-doc) I test with the abook package from extra. 1) makepkg ==> Finished making: abook 0.5.6-2 i686 (Thu Dec 4 15:52:44 UTC 2008) ==> Signing package... ==> ERROR: Cannot find the gpg binary! Is gnupg installed? That's right, it is a fresh VM ;-) 2) makepkg ==> Finished making: abook 0.5.6-2 i686 (Thu Dec 4 15:55:34 UTC 2008) ==> Signing package... gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: no default secret key: secret key not available gpg: signing failed: secret key not available ==> WARNING: Failed to sign package file. That's right. I still have no gpg key. After setting up all gpg things makepkg builds and signs the package. 3) Add a repo: mypkg repo-add ad the abook package and puts also the %PGPSIG% field in the desc file. 4) pacman -S mypkg/abook checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz error: failed to commit transaction (invalid or corrupted package) abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted Errors occurred, no packages were upgraded. Ok, i have not imported the public key to root's keyring. 5) [root@archtest ~]# LANG=C pacman -S mypkg/abook resolving dependencies... looking for inter-conflicts... Targets (1): abook-0.5.6-2 Total Download Size: 0.00 MB Total Installed Size: 0.20 MB Proceed with installation? [Y/n] checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz (1/1) checking for file conflicts [#####################] 100% (1/1) installing abook [#####################] 100% Problem/Question: Where could i define the public keyring location? According to commit: "Add keyring location as option on libalpm handle" the is a libalpm option --keyring. But i have no plan where to define it (in pacman.conf i got an error). I copied my keyring temporary to /tmp/testing.gpg what seems the default search path and filename. Doing this i could install above abook from my repo. 6) [root@archtest ~]# LANG=C pacman -Sy mypkg/abook :: Synchronizing package databases... core is up to date extra is up to date community is up to date mypkg is up to date warning: abook-0.5.6-2 is up to date -- reinstalling resolving dependencies... looking for inter-conflicts... Targets (1): abook-0.5.6-2 Total Download Size: 0.05 MB Total Installed Size: 0.20 MB Proceed with installation? [Y/n] :: Retrieving packages from mypkg... abook-0.5.6-2-i686 49.6K 20.9M/s 00:00:00 [#####################] 100% checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-a uto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6- 2-i686.pkg.tar.gz error: failed to commit transaction (invalid or corrupted package) abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted Errors occurred, no packages were upgraded. Here if have modified the abook-0.5.6-2-i686.pkg.tar.gz package, copied to my repo, do a repo-add but use the old *.sig signature. This modified package gets not installed. Maybe the error/reason could be more explained. Summary: I think most of the signing part (makepkg, repo-add) and the verifying part (pacman) works so far. Awesome! gpg verifying is good integrated in pacman, the "warning: gpg cmdline" line thing i assume is a test/debug thing. Next step could be: verifying the database files during pacman -Sy ? Regards Gerhard