On 30.10.2011 18:56, Daniel Isenmann wrote:
> I'm building my packages exclusive on pkgbuild.com and there I can't
> sign packages. If we do the switch in dbscripts then pkgbuild.com
> should be ready to generate signed packages. As far as I know it isn't
> possible yet, am I right?

So far the only solution is to download the finished package, sign it
locally using gpg --detach-sign <file> and then uploading the signature
back to pkgbuild.com so commitpkg will find it.

There has been some discussion [1] about remote signing for GPG, but I
think they dropped the idea.

[1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html

--
Florian Pritz

On Sun, 30 Oct 2011 19:06:21 +0100
Florian Pritz <bluewind@xinu.at> wrote:

> On 30.10.2011 18:56, Daniel Isenmann wrote:
> > I'm building my packages exclusive on pkgbuild.com and there I can't
> > sign packages. If we do the switch in dbscripts then pkgbuild.com
> > should be ready to generate signed packages. As far as I know it
> > isn't possible yet, am I right?
>
> So far the only solution is to download the finished package, sign it
> locally using gpg --detach-sign <file> and then uploading the
> signature back to pkgbuild.com so commitpkg will find it.
>
> There has been some discussion [1] about remote signing for GPG, but I
> think they dropped the idea.
>
> [1]:
> http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html

Kerrick Staley last comment [1] on this thread was that they will go
with the hash-signing implementation. But it seems that there is
nothing new on this topic.

[1]:
http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html

On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
> So far the only solution is to download the finished package, sign it
> locally using gpg --detach-sign <file> and then uploading the signature
> back to pkgbuild.com so commitpkg will find it.

Did something change WRT this workflow now? I'm getting
signature-incorrect from commitpkg. I did sign like this 2 times
before (opencv and cinelerra-cv), so it did work recently. gpg
--verify outputs:

gpg: Can't check signature: public key not found

But this is normal, and the public key was not there for the previous
2 times. Or was gpg --verify not there in commitpkg before? Do I now
need to import my public key on alderaan?


--
GPG/PGP ID: C0711BF1

On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>> So far the only solution is to download the finished package, sign it
>> locally using gpg --detach-sign <file> and then uploading the signature
>> back to pkgbuild.com so commitpkg will find it.
>
> Did something change WRT this workflow now? I'm getting
> signature-incorrect from commitpkg. I did sign like this 2 times
> before (opencv and cinelerra-cv), so it did work recently. gpg
> --verify outputs:
>
> gpg: Can't check signature: public key not found
>
> But this is normal, and the public key was not there for the previous
> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
> need to import my public key on alderaan?

Is your key in your keychain on alderaan? Probably not from what this
looks like. Easy to check- `gpg --list-keys 0xfoobar`.

-Dan

On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
>> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>>> So far the only solution is to download the finished package, sign it
>>> locally using gpg --detach-sign <file> and then uploading the signature
>>> back to pkgbuild.com so commitpkg will find it.
>>
>> Did something change WRT this workflow now? I'm getting
>> signature-incorrect from commitpkg. I did sign like this 2 times
>> before (opencv and cinelerra-cv), so it did work recently. gpg
>> --verify outputs:
>>
>> gpg: Can't check signature: public key not found
>>
>> But this is normal, and the public key was not there for the previous
>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>> need to import my public key on alderaan?
>
> Is your key in your keychain on alderaan? Probably not from what this
> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>
> -Dan
>

Nope. That was what I was asking - whether I need to add it. The last
2 times that I pushed signed packages from alderaan I didn't do
anything gpg-related remotely.

Anyway, imported the key now so all is good again.


--
GPG/PGP ID: C0711BF1