[arch-dev-public] Finalizing the package signing process

Pierre Schmitz pierre at archlinux.de
Sun Oct 30 14:50:43 EDT 2011

Am 30.10.2011 19:13, schrieb Daniel Isenmann:
> On Sun, 30 Oct 2011 19:04:51 +0100
> Giovanni Scafora <giovanni at archlinux.org> wrote:
>> Il 30/10/2011 18:56, Daniel Isenmann ha scritto:
>> > I'm building my packages exclusive on pkgbuild.com and there I can't
>> > sign packages. If we do the switch in dbscripts then pkgbuild.com
>> > should be ready to generate signed packages. As far as I know it
>> > isn't possible yet, am I right?
>> You can build your packages on pkgbuild.com, then download them
>> locally and sign them with gpg --detach-sign package.
>> After, you have to send .sig files (i686 and x86_64) on pkgbuild,
>> then execute extrapkg or similar command.

You can also use commitpkg (as in extrapkg, testingpkg etc.) to sign
the file if you put the package into your build tree.

> Downloading them locally isn't really a solution. Too low bandwidth and
> most of the time I don't build the packages from home.
> If dbscripts get updated without pkgbuild.com supports signing, then I
> can't build packages.

I am sorry, but I have no solution for this atm. And who knows how long
it takes until gpg is able to do key forwarding and remote signing. So I
don't feel we should wait for that. And honestly: the build server with
that much people having root access is quite a problem anyway.

Also if you don't even download (and install) some your own packages,
maybe a better solution would be to find someone else to maintain them.



Pierre Schmitz, http://pierre-schmitz.com

More information about the arch-dev-public mailing list