Signing Packages
[ rough draft ]
Have a GPG key
Create your new key:
gpg --gen-key
more... [ TBD: how strong should the key be? ]
Back it up:
gpg --export-secret-keys --armor <keyid> > my_key_backup.asc
more...
In case you need to import the backup later:
gpg --import <backup_file>
, gpg --edit-key <keyid>
and trust
it ultimately.
Export the public key:
gpg --export --armor <keyid> > my_pub_key.asc
If you're going to use the key for GPG/MIME or share your signed packages with other people, you probably need to publish your key:
gpg --send-key <keyid>
more...
Import into pacman
This is needed because pacman has its own keystore and own rules for trusting keys. Either you get approved as a packager for the MSYS2 project, or you have to import your key manually.
To import and sign your key with pacman-key
:
pacman-key --add <pubkeyfile>
, or if it's publishedpacman-key --recv-keys <keyid>
pacman-key --lsign-key <keyid>
more...
To make your key a trusted developer key for signing official packages, you have to get your key included in the respective keyring and get it signed by at least 3 master keys. The package and repository is msys2-keyring
for MSYS2, see Alexpux/msys2-keyring. The package and repository for Arch Linux is archlinux-keyring
, see https://gitlab.archlinux.org/archlinux/archlinux-keyring. These packages install keyring files into /usr/share/pacman/keyrings
which then can be imported and locally signed in one batch using pacman-key --populate <keyringname>
.
Actually sign stuff
- Old packages:
gpg --detach-sign --no-armor <pkg>
for each package (all such packages need to be re-repo-add
ed to make the database aware of the new signatures) - New packages: just add
--sign
to makepkg command line or set the relatedmakepkg.conf
option - Databases:
repo-add -s -v <db> <pkg>