[arch-dev-public] Finalizing the package signing process

Daniel Isenmann daniel.isenmann at gmx.de
Sun Oct 30 17:47:53 EDT 2011

On Sun, 30 Oct 2011 21:58:35 +0100
Tom Gundersen <teg at jklm.no> wrote:

> On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann
> <daniel.isenmann at gmx.de> wrote:
> >> I don't think signing remotely is going to be possible, also I
> >> don't see the point of it. We anyway have to download the package
> >> in order to test it, so we wouldn't really gain anything.
> >
> > Not all packages have to be tested, e.g. a large rebuild against a
> > new library version which you are sure that nothing is broken in
> > your pakage and only needs new linking against the new library.
> > That's only as an example.
> But surely you will eventually download and install it? That said, I
> guess there will be cases where it would be useful to not immediately
> have to download the package (even if I'm struggling to imagine atm).

Sure. I will do that. But mainly I build the packages not at home and
that's my main problem. But I will try the method with your small
script, thanks for that. 

> >> I use a script to download, sign and upload signature, then I test
> >> the package locally before pushing it to the repos.
> >
> > Mind if you can provide the script. Such a helper script would help
> > a lot.
> Sure, it is based on something given to me by another dev on IRC
> (forgot who). Hopefully they won't sue me for copyright infringement
> ;-)
> It will leave the packages in /tmp for you to test, so you might want
> to remember to delete them afterwards.
> #!/bin/bash
> DIR=`mktemp -d /tmp/signpkg.${1}.XXXXX`
> pushd ${DIR}
> scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz .
> for i in *.pkg.tar.xz; do
> #  gpg --detach-sign --use-agent -u $KEY "$i"
>   gpg --detach-sign --use-agent "$i"
> done
> scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/
> popd

Thanks for that...


More information about the arch-dev-public mailing list