DeveloperWiki:Signing Packages

From ArchWiki
Revision as of 17:02, 11 April 2011 by Pierre (Talk | contribs) (Created page with "'''Warning: This is just a draft''' ==Create a key pair== # install <code>gnupg</code> # <code>gpg --gen-key</code> ## you may use the default options which is a 2048 Bit RSA ke...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Warning: This is just a draft

Create a key pair

  1. install gnupg
  2. gpg --gen-key
    1. you may use the default options which is a 2048 Bit RSA key for encryption and signing which does not expire
  3. Also create a revoke key for later use
    1. gpg -o ~/.gnupg/ --gen-revoke
    2. Make sure to create a backup of this file and probably remove it from your system afterwards

Get your key signed by CAcert

  1. Get the cacert key and import it:
    1. wget
    2. gpg --import cacert.asc
  2. Trust this key:
    1. gpg --edit-key
    2. >trust
    3. >5
  3. Export your key:
    1. gpg --export --armor >
    2. Paste the content of that file into the form on the cacert website to get your signed public key.
  4. Save the signed key from the cacert website and import it
    1. gpg --import <filename>
  5. You might want to send your new signed key to a keyserver
    1. Check your key id with gpg -k
    2. gpg --send-keys 9741E8AC
    3. You could also export it again for uploading it on e.g. your webspace: gpg --export --armor >
  6. You should create a backup of your keys and make sure to not forget the passphrase!

Verify a signed package

  1. Install and trust the cacert key
    1. wget
    2. gpg --import cacert.asc
    3. gpg --edit-key
    4. >trust
    5. >5
  2. Search and import the packager's key
    1. gpg --search-keys 9741E8AC
  3. Verify the package
    1. gpg --verify devtools-*.pkg.tar.xz.sig