[arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
daniel.isenmann at gmx.de
Sun Oct 30 16:09:08 EDT 2011
On Sun, 30 Oct 2011 19:06:21 +0100
Florian Pritz <bluewind at xinu.at> wrote:
> On 30.10.2011 18:56, Daniel Isenmann wrote:
> > I'm building my packages exclusive on pkgbuild.com and there I can't
> > sign packages. If we do the switch in dbscripts then pkgbuild.com
> > should be ready to generate signed packages. As far as I know it
> > isn't possible yet, am I right?
> So far the only solution is to download the finished package, sign it
> locally using gpg --detach-sign <file> and then uploading the
> signature back to pkgbuild.com so commitpkg will find it.
> There has been some discussion  about remote signing for GPG, but I
> think they dropped the idea.
Kerrick Staley last comment  on this thread was that they will go
with the hash-signing implementation. But it seems that there is
nothing new on this topic.
More information about the arch-dev-public