Magnus Therning wrote:

...

Are there any plans to start signing [haskell] packages and databases?

Nothing concrete yet, no. It's on my list of things to have a closer look at though, so any pointers to info would be of interest.

Creating the actual signatures is simple: Method 1: 1) use makepkg's "sign" option to sign packages as you create them 2) create the database as usual 3) sign the database Method 2: 1) build the packages as usual 2) batch sign them 3) create the database as usual 4) sign the database The advantage of method 2 is that you will not be prompted for a passphrase for every package. There may be a way to avoid that with makepkg, but I haven't found it yet. I just wrote my own script to prompt me for the password, batch sign the packages, create the database, and finally sign it. The only thing that matters is that the detached signature files are in place before you create the database, so that the database is aware of them. Getting the necessary level of trust is another matter. For devs and TUs, we need to get at least 3 of the Arch Linux master key signatures, but that is only because users are expected to have trusted those keys. If you do decide to make [haskell] independent and apply for official status as I suggested in the other thread, then you should easily be able to get the master key signatures (and you will probably get developer status too). Otherwise, it is up to users to trust your key, which I think most users of [haskell] would. I definitely would. Here's the developer's wiki page about package signing: https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages You can ignore the CACert recommendation.