Re: [arch-haskell] Package Signing

Magnus Therning wrote:

On Tue, Jul 24, 2012 at 1:20 PM, Xyne wrote:

...

Hi Magnus,

It's time to nag you again about package signing. I can give you a script to batch sign packages, run repo-add, then sign the generated repo with a single passphrase prompt. Obviously I don't know how well that fits with your current release method, but it should be possible to set something up that is minimally invasive and I'll gladly help if I can.

Good that you nag!

I'd love getting that script, and possibly hints on key generation/storage/management/etc as well.

I've put together a clean script using various code snippets that I have in my release scripts: http://xyne.archlinux.ca/scripts/pacman/#repo-add_and_sign Just ask if anything is unclear or if you think you've found a bug. If you need something customized to your build system, give me some details and I'll work on it. I'm going to announce it on the forum too. If there's any interest, I'll probably package it. If I do, the link will also change, so check the projects page if the one above dies. For key generation/etc, I would suggest generating a new key pair dedicated to package signing, but that's just a personal preference. You could just as well use the same key pair that you already use to sign your email. Management is not really any different either: keep the private key secure, have a revocation key ready, etc. If you create a new key pair, upload the public one to e.g. pgp.mit.edu and post the fingerprint in a few different places so users can verify it before trusting it. That's all I can think of for now.