[arch-dev-public] sign packages on alderaan
allan at archlinux.org
Sun Oct 30 18:50:02 EDT 2011
On 31/10/11 06:09, Daniel Isenmann wrote:
> On Sun, 30 Oct 2011 19:06:21 +0100
> Florian Pritz<bluewind at xinu.at> wrote:
>> On 30.10.2011 18:56, Daniel Isenmann wrote:
>>> I'm building my packages exclusive on pkgbuild.com and there I can't
>>> sign packages. If we do the switch in dbscripts then pkgbuild.com
>>> should be ready to generate signed packages. As far as I know it
>>> isn't possible yet, am I right?
>> So far the only solution is to download the finished package, sign it
>> locally using gpg --detach-sign<file> and then uploading the
>> signature back to pkgbuild.com so commitpkg will find it.
>> There has been some discussion  about remote signing for GPG, but I
>> think they dropped the idea.
> Kerrick Staley last comment  on this thread was that they will go
> with the hash-signing implementation. But it seems that there is
> nothing new on this topic.
I'd be much more interested in a patch that actually lets you do remote
signing than a discussion that went nowhere...
But then again, that patch went nowhere in the end too as far as I can tell.
More information about the arch-dev-public