If signatures are wanted, it seems sensible to me to also create ones for source and binary package, not only inside the source package itself: more useful for the security-savvy end-user, while the latter are more useful for the advanced user that want to re-compile the package itself.
These are, of course, NOT checked by "checksig" as the .sh file is not even in the same context of the packages (but rather inside one of them). Lapo diff -b -u -r1.45 generic-build-script --- templates/generic-build-script 22 Jan 2006 04:35:42 -0000 1.45 +++ templates/generic-build-script 28 Jan 2006 15:21:57 -0000 @@ -323,7 +323,8 @@ } pkg() { (cd ${instdir} && \ - tar cvjf ${bin_pkg} * ) + tar cvjf ${bin_pkg} * && \ + name=${bin_pkg} text="BINARY PACKAGE" sigfile ) } mkpatch() { (cd ${srcdir} && \ @@ -362,7 +363,8 @@ rm -f \ ${configurelogname} ${makelogname} ${checklogname} ${installlogname} ; \ fi && \ - tar cvjf ${src_pkg} * ) + tar cvjf ${src_pkg} * && \ + name=${src_pkg} text="SOURCE PACKAGE" sigfile ) } finish() { rm -rf ${srcdir}