[arch-dev-public] Finalizing the package signing process
Daniel Isenmann
daniel.isenmann at gmx.de
Sun Oct 30 16:38:40 EDT 2011
On Sun, 30 Oct 2011 21:32:25 +0100
Tom Gundersen <teg at jklm.no> wrote:
> On Sun, Oct 30, 2011 at 9:05 PM, Daniel Isenmann
> <daniel.isenmann at gmx.de> wrote:
> > As it seems that there is no real solution here, I will try to do it
> > like Florian and Giovanni said it. Downloading the package, sign it
> > locally and upload the signature to pkguild again.
> >
> > Nevertheless we should find a solution to build signed packages on
> > pkgbuild, otherwise we will loose our buildserver here, because I
> > see this as a workaround and not as a solution.
>
> I don't think signing remotely is going to be possible, also I don't
> see the point of it. We anyway have to download the package in order
> to test it, so we wouldn't really gain anything.
Not all packages have to be tested, e.g. a large rebuild against a new
library version which you are sure that nothing is broken in your
pakage and only needs new linking against the new library.
That's only as an example.
> I use a script to download, sign and upload signature, then I test the
> package locally before pushing it to the repos.
Mind if you can provide the script. Such a helper script would help a
lot.
> Just my two cents.
>
> Cheers,
>
> Tom
More information about the arch-dev-public
mailing list