[arch-general] Is it secure to just sign repository databases?
Manuel.Spam at nurfuerspam.de
Sun Jun 16 09:03:48 UTC 2019
I run a repository locally that I would like to share to the public.
The build is mostly automated. That's why I don't want to sign each
individual package. The private key is not stored on the build machine
and I want to sign the resulting stuff externally.
The easiest way would be actually to just manually sign the database
file. As this file includes all checksums of the individual packages, I
think this is as secure as signing every package, right?
Thanks in advance
More information about the arch-general