[arch-dev-public] Finalizing the package signing process

Tom Gundersen teg at jklm.no
Sun Oct 30 16:58:35 EDT 2011

On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann <daniel.isenmann at gmx.de> wrote:
>> I don't think signing remotely is going to be possible, also I don't
>> see the point of it. We anyway have to download the package in order
>> to test it, so we wouldn't really gain anything.
> Not all packages have to be tested, e.g. a large rebuild against a new
> library version which you are sure that nothing is broken in your
> pakage and only needs new linking against the new library.
> That's only as an example.

But surely you will eventually download and install it? That said, I
guess there will be cases where it would be useful to not immediately
have to download the package (even if I'm struggling to imagine atm).

>> I use a script to download, sign and upload signature, then I test the
>> package locally before pushing it to the repos.
> Mind if you can provide the script. Such a helper script would help a
> lot.

Sure, it is based on something given to me by another dev on IRC
(forgot who). Hopefully they won't sue me for copyright infringement

It will leave the packages in /tmp for you to test, so you might want
to remember to delete them afterwards.


DIR=`mktemp -d /tmp/signpkg.${1}.XXXXX`
pushd ${DIR}
scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz .
for i in *.pkg.tar.xz; do
#  gpg --detach-sign --use-agent -u $KEY "$i"
  gpg --detach-sign --use-agent "$i"
scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/

More information about the arch-dev-public mailing list