[arch-dev-public] sign packages on alderaan

Ray Rashif schiv at archlinux.org
Sat Nov 12 07:55:00 EST 2011

On 12 November 2011 08:04, Ionut Biru <ibiru at archlinux.org> wrote:
> On 11/12/2011 01:59 AM, Dan McGee wrote:
>> On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru <ibiru at archlinux.org> wrote:
>>> On 11/12/2011 01:43 AM, Ray Rashif wrote:
>>>> On 12 November 2011 07:35, Dan McGee <dpmcgee at gmail.com> wrote:
>>>>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv at archlinux.org> wrote:
>>>>>> On 31 October 2011 02:06, Florian Pritz <bluewind at xinu.at> wrote:
>>>>>>> So far the only solution is to download the finished package, sign it
>>>>>>> locally using gpg --detach-sign <file> and then uploading the signature
>>>>>>> back to pkgbuild.com so commitpkg will find it.
>>>>>> Did something change WRT this workflow now? I'm getting
>>>>>> signature-incorrect from commitpkg. I did sign like this 2 times
>>>>>> before (opencv and cinelerra-cv), so it did work recently. gpg
>>>>>> --verify outputs:
>>>>>> gpg: Can't check signature: public key not found
>>>>>> But this is normal, and the public key was not there for the previous
>>>>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>>>>>> need to import my public key on alderaan?
>>>>> Is your key in your keychain on alderaan? Probably not from what this
>>>>> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>>>>> -Dan
>>>> Nope. That was what I was asking - whether I need to add it. The last
>>>> 2 times that I pushed signed packages from alderaan I didn't do
>>>> anything gpg-related remotely.
>>>> Anyway, imported the key now so all is good again.
>>>> --
>>>> GPG/PGP ID: C0711BF1
>>> don't import any key on alderaan.
>> Hmm?
>> He is trying to *verify*, meaning he needs his *public* key. This has
>> nothing to do with signing or private keys. It make a heck of a lot
>> more sense bandwidth-wise for him to upload the signature file to
>> alderaan than upload both the package and signature from his local
>> machine, so why should he not be able to do that? The `gpg --verify`
>> call is there to make sure developers don't accidentally upload
>> mismatched packages and corresponding signature files, which could
>> easily happen when doing test builds and --nosign, etc.
>> -Dan
> well, i understood that he signed the package on alderaan...

Then you misunderstood. My reply to the topic meant I was referring to
the only workaround to "sign packages on alderaan", which is to build,
download packages, sign locally, upload signatures, and then push

I followed that process on 2 previous occasions and there was no
complaint even when there was no public key on the remote machine, but
this time commitpkg complained about the signatures. So I only wanted
to know whether I did anything wrong.

Anyway, it's now evident that the verification was not there before.
Importing a public key poses no risk (done with --recv-keys), so there
is also no need to change anything in commitpkg.


More information about the arch-dev-public mailing list