sign packages on alderaan (was: Finalizing the package signing process)
On 30.10.2011 18:56, Daniel Isenmann wrote:
> I'm building my packages exclusive on pkgbuild.com and there I can't > sign packages. If we do the switch in dbscripts then pkgbuild.com > should be ready to generate signed packages. As far as I know it isn't > possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-sign <file> and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html -- Florian Pritz |
sign packages on alderaan (was: Finalizing the package signing process)
On Sun, 30 Oct 2011 19:06:21 +0100
Florian Pritz <bluewind@xinu.at> wrote: > On 30.10.2011 18:56, Daniel Isenmann wrote: > > I'm building my packages exclusive on pkgbuild.com and there I can't > > sign packages. If we do the switch in dbscripts then pkgbuild.com > > should be ready to generate signed packages. As far as I know it > > isn't possible yet, am I right? > > So far the only solution is to download the finished package, sign it > locally using gpg --detach-sign <file> and then uploading the > signature back to pkgbuild.com so commitpkg will find it. > > There has been some discussion [1] about remote signing for GPG, but I > think they dropped the idea. > > [1]: > http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html Kerrick Staley last comment [1] on this thread was that they will go with the hash-signing implementation. But it seems that there is nothing new on this topic. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html |
sign packages on alderaan (was: Finalizing the package signing process)
On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
> So far the only solution is to download the finished package, sign it > locally using gpg --detach-sign <file> and then uploading the signature > back to pkgbuild.com so commitpkg will find it. Did something change WRT this workflow now? I'm getting signature-incorrect from commitpkg. I did sign like this 2 times before (opencv and cinelerra-cv), so it did work recently. gpg --verify outputs: gpg: Can't check signature: public key not found But this is normal, and the public key was not there for the previous 2 times. Or was gpg --verify not there in commitpkg before? Do I now need to import my public key on alderaan? -- GPG/PGP ID: C0711BF1 |
sign packages on alderaan (was: Finalizing the package signing process)
On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote: >> So far the only solution is to download the finished package, sign it >> locally using gpg --detach-sign <file> and then uploading the signature >> back to pkgbuild.com so commitpkg will find it. > > Did something change WRT this workflow now? I'm getting > signature-incorrect from commitpkg. I did sign like this 2 times > before (opencv and cinelerra-cv), so it did work recently. gpg > --verify outputs: > > gpg: Can't check signature: public key not found > > But this is normal, and the public key was not there for the previous > 2 times. Or was gpg --verify not there in commitpkg before? Do I now > need to import my public key on alderaan? Is your key in your keychain on alderaan? Probably not from what this looks like. Easy to check- `gpg --list-keys 0xfoobar`. -Dan |
sign packages on alderaan (was: Finalizing the package signing process)
On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote: >> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote: >>> So far the only solution is to download the finished package, sign it >>> locally using gpg --detach-sign <file> and then uploading the signature >>> back to pkgbuild.com so commitpkg will find it. >> >> Did something change WRT this workflow now? I'm getting >> signature-incorrect from commitpkg. I did sign like this 2 times >> before (opencv and cinelerra-cv), so it did work recently. gpg >> --verify outputs: >> >> gpg: Can't check signature: public key not found >> >> But this is normal, and the public key was not there for the previous >> 2 times. Or was gpg --verify not there in commitpkg before? Do I now >> need to import my public key on alderaan? > > Is your key in your keychain on alderaan? Probably not from what this > looks like. Easy to check- `gpg --list-keys 0xfoobar`. > > -Dan > Nope. That was what I was asking - whether I need to add it. The last 2 times that I pushed signed packages from alderaan I didn't do anything gpg-related remotely. Anyway, imported the key now so all is good again. -- GPG/PGP ID: C0711BF1 |
| All times are GMT. The time now is 04:12 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.