On Sat, 2025-05-03 at 09:35 -0400, Pocket wrote: > > So my questions are as follows > > 1.
Answered by pocket.
> 2. I would like to sign the packages in the custom repository.
>
I have built this into my package building / repo toolkit. While I have
shared a lot of my tools in the aur I have not yet released these ones.
At some point I probably will.
That said.
The idea is each repository has its own repo database files. True for
official repos as well as self managed. They are the same.
For example teh repo database files are found in
<repo>/os/x86_64/*db*
where the repo name is <repo> - be it "core" "core-testing" or "my-
repo".
The relevant files, using core-testing as example, (replace core-
testing with whatever your repo name is that you want to sign)
core-testing.db
core-testing.db.tar.gz.old
core-testing.db.sig
core-testing.db.tar.gz.sig
core-testing.db.tar.gz
The "old" ones are just previous ones from repo-add/repo-remove. Ignore
those. You probably use zstd compression for your own repo (I do) so
all ".gz" would be ".zst".
We have "core-testing.db" which is a symlink to core-testing.db.tar.gz
so ignore this as well.
The actual database file is core-testing.db.tar.gz and this is what
must be signed - once its signed the signature file is
core-testing.db.tar.gz.sig
You need to have a symlink for the sig too (just like for the database
file).
core-testing.db.sig (symlink) -> core-testing.db.tar.gz.sig
In a nutshell (adjust repo-name and comrpession extension as
appropriate):
(a) sign: <repo-name>db.tar.zst ==> <repo-name>db.tar.zst.sig
(b) symlink: ln -s <repo-name>db.tar.zst.sig <repo-name>db.sig
To sign the database file, use gpg (or sequoia sq if you prefer) with
detached sig.
Something like:
gpg --detach-sign --no-armor -u <your-gpg-uid>
Hope that helps.
--
Gene
signature.asc
Description: This is a digitally signed message part
