[arch-dev-public] Finalizing the package signing process
Daniel Isenmann
daniel.isenmann at gmx.de
Sun Oct 30 16:05:31 EDT 2011
On Sun, 30 Oct 2011 19:50:43 +0100
Pierre Schmitz <pierre at archlinux.de> wrote:
> Am 30.10.2011 19:13, schrieb Daniel Isenmann:
> > On Sun, 30 Oct 2011 19:04:51 +0100
> > Giovanni Scafora <giovanni at archlinux.org> wrote:
> >
> >> Il 30/10/2011 18:56, Daniel Isenmann ha scritto:
> >> > I'm building my packages exclusive on pkgbuild.com and there I
> >> > can't sign packages. If we do the switch in dbscripts then
> >> > pkgbuild.com should be ready to generate signed packages. As far
> >> > as I know it isn't possible yet, am I right?
> >>
> >> You can build your packages on pkgbuild.com, then download them
> >> locally and sign them with gpg --detach-sign package.
> >> After, you have to send .sig files (i686 and x86_64) on pkgbuild,
> >> then execute extrapkg or similar command.
>
> You can also use commitpkg (as in extrapkg, testingpkg etc.) to sign
> the file if you put the package into your build tree.
>
> > Downloading them locally isn't really a solution. Too low bandwidth
> > and most of the time I don't build the packages from home.
> >
> > If dbscripts get updated without pkgbuild.com supports signing,
> > then I can't build packages.
>
> I am sorry, but I have no solution for this atm. And who knows how
> long it takes until gpg is able to do key forwarding and remote
> signing. So I don't feel we should wait for that. And honestly: the
> build server with that much people having root access is quite a
> problem anyway.
>
> Also if you don't even download (and install) some your own packages,
> maybe a better solution would be to find someone else to maintain
> them.
> Greetings,
>
> Pierre
>
As it seems that there is no real solution here, I will try to do it
like Florian and Giovanni said it. Downloading the package, sign it
locally and upload the signature to pkguild again.
Nevertheless we should find a solution to build signed packages on
pkgbuild, otherwise we will loose our buildserver here, because I see
this as a workaround and not as a solution.
More information about the arch-dev-public
mailing list