On Tue, Jul 24, 2012 at 11:19:54PM +0000, Xyne wrote: > Magnus Therning wrote: > >> On Tue, Jul 24, 2012 at 1:20 PM, Xyne <[email protected]> wrote: >>> Hi Magnus, >>> >>> It's time to nag you again about package signing. I can give you a script to >>> batch sign packages, run repo-add, then sign the generated repo with a >>> single >>> passphrase prompt. Obviously I don't know how well that fits with your >>> current >>> release method, but it should be possible to set something up that is >>> minimally >>> invasive and I'll gladly help if I can. >> >> Good that you nag! >> >> I'd love getting that script, and possibly hints on key >> generation/storage/management/etc as well. > > > I've put together a clean script using various code snippets that I have in my > release scripts: > > http://xyne.archlinux.ca/scripts/pacman/#repo-add_and_sign > > Just ask if anything is unclear or if you think you've found a bug. > If you need something customized to your build system, give me some > details and I'll work on it. [...] > For key generation/etc, I would suggest generating a new key pair > dedicated to package signing, but that's just a personal preference. > You could just as well use the same key pair that you already use to > sign your email. Management is not really any different either: keep > the private key secure, have a revocation key ready, etc.
Correct me if I'm wrong in this assumption, but I need to have the following three items available when running the script: 1. The newly-built package. 2. The repo database (x.db.tar.gz) I'm adding the package to. 3. The secret key. This is a slight problem for me. I build on kiwilight (where I'm not alone in having root access), the database is on xsounds.org (where I don't have root access at all), and to be fully comfortable I'd like to keep the secret key and perform the signing on my own machine :-) Is there some way to simply extract the actual data that is to be signed (the hashes), and perform the actual signing manually? (I've found a need for this sort of thing with other package managers as well, especially RPM, but never found a way to do that. I would find it unfortunate if the pacman developers have painted themselves into the same corner as the RPM developers.) /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: [email protected] jabber: [email protected] twitter: magthe http://therning.org/magnus I invented the term Object-Oriented, and I can tell you I did not have C++ in mind. -- Alan Kay
pgpcqPRG97WpX.pgp
Description: PGP signature
_______________________________________________ arch-haskell mailing list [email protected] http://www.haskell.org/mailman/listinfo/arch-haskell
