DeveloperWiki:Signing Packages

From ArchWiki
Revision as of 13:04, 30 October 2011 by Pierre (Talk | contribs)

Jump to: navigation, search


Choose an UID

  • Use a valid e-mail address. Means no obfuscation.
  • The e-mail address should be reliable (so don't use the one you got from your ISP a random free mail address).
  • If in doubt you should prefer using your archlinux.org address
  • The UID has also to be the same as the PACKAGER variable you use to build packages
  • An UID looks like this: Pierre Schmitz <pierre@archlinux.de>

Recommendation

Create a key pair

  1. install gnupg
  2. gpg --gen-key
    1. you may use the default options which is a 2048 Bit RSA key for encryption and signing which does not expire
  3. Also create a revoke key for later use
    1. gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de
    2. Make sure to create a backup of this file and remove it from your system afterwards
  4. Backup your private key: gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc

Optional: Get your key signed by CAcert

  1. Get the CAcert key and import it:
    1. wget https://www.cacert.org/certs/cacert.asc
    2. gpg --import cacert.asc
  2. Trust this key:
    1. gpg --edit-key gpg@cacert.org
    2. >trust
    3. >5
  3. Export your key:
    1. gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc
    2. Paste the content of that file into the form on the CAcert website to get your signed public key.
  4. Save the signed key from the CAcert website and import it
    1. gpg --import <filename>
  5. You could also export it again for uploading it on e.g. your webspace: gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc

Optional: Get your key signed by other devs

  1. When ever you meet with another dev, sign each others keys.
  2. take this seriously and never sign a key when you cannot the others identity.
    1. e.g. check official identity documents especially if you don't know that person for a long time.

Publish your public key

  1. Send your new signed key to a keyserver
    1. Check your key id with gpg -k
    2. gpg --send-keys 9741E8AC
  2. Add your key finger print to your profile at https://www.archlinux.org/devel/profile/

Backup

  1. You should create a backup of your keys and make sure to not forget the passphrase!

Sign your packages

  1. Install devtools 0.9.22 or later
  2. add SIGNPKG=y to your ~/.makepkg.conf
  3. If you want to sign with a specific key also add GPGKEY=<id>
  4. commitpkg and its aliases like extrapkg or testingpkg will now sign your packages and upload the package including its signature.