[arch-dev-public] Finalizing the package signing process
Tom Gundersen
teg at jklm.no
Sun Oct 30 16:58:35 EDT 2011
On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann <daniel.isenmann at gmx.de> wrote:
>> I don't think signing remotely is going to be possible, also I don't
>> see the point of it. We anyway have to download the package in order
>> to test it, so we wouldn't really gain anything.
>
> Not all packages have to be tested, e.g. a large rebuild against a new
> library version which you are sure that nothing is broken in your
> pakage and only needs new linking against the new library.
> That's only as an example.
But surely you will eventually download and install it? That said, I
guess there will be cases where it would be useful to not immediately
have to download the package (even if I'm struggling to imagine atm).
>> I use a script to download, sign and upload signature, then I test the
>> package locally before pushing it to the repos.
>
> Mind if you can provide the script. Such a helper script would help a
> lot.
Sure, it is based on something given to me by another dev on IRC
(forgot who). Hopefully they won't sue me for copyright infringement
;-)
It will leave the packages in /tmp for you to test, so you might want
to remember to delete them afterwards.
#!/bin/bash
DIR=`mktemp -d /tmp/signpkg.${1}.XXXXX`
pushd ${DIR}
scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz .
for i in *.pkg.tar.xz; do
# gpg --detach-sign --use-agent -u $KEY "$i"
gpg --detach-sign --use-agent "$i"
done
scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/
popd
More information about the arch-dev-public
mailing list