[arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
schiv at archlinux.org
Fri Nov 11 18:43:11 EST 2011
On 12 November 2011 07:35, Dan McGee <dpmcgee at gmail.com> wrote:
> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv at archlinux.org> wrote:
>> On 31 October 2011 02:06, Florian Pritz <bluewind at xinu.at> wrote:
>>> So far the only solution is to download the finished package, sign it
>>> locally using gpg --detach-sign <file> and then uploading the signature
>>> back to pkgbuild.com so commitpkg will find it.
>> Did something change WRT this workflow now? I'm getting
>> signature-incorrect from commitpkg. I did sign like this 2 times
>> before (opencv and cinelerra-cv), so it did work recently. gpg
>> --verify outputs:
>> gpg: Can't check signature: public key not found
>> But this is normal, and the public key was not there for the previous
>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>> need to import my public key on alderaan?
> Is your key in your keychain on alderaan? Probably not from what this
> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
Nope. That was what I was asking - whether I need to add it. The last
2 times that I pushed signed packages from alderaan I didn't do
anything gpg-related remotely.
Anyway, imported the key now so all is good again.
GPG/PGP ID: C0711BF1
More information about the arch-dev-public