* Bastien <b...@gnu.org> [2020-11-05 22:59]: > Thanks a lot, that's very useful. > > Something I'm not sure: shall we sign only the "archive-contents" file > or both "archive-contents" and "org-YYYYMMDD.tar"? > > For the public key of Org ELPA, where would you expect to download it > from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both?
Also packages shall be signed. So it is in GNU ELPA. As Org mode is part of Emacs, and you as maintainer signing it, I would personally expect it to be in ~/.emacs.d/elpa/gnupg where there is other key from GNU ELPA. But what is best you maybe coordinate with GNU ELPA maintainers. I think your key should be there in central GNU ELPA and with that key it should be possible to verify orgmode.org ELPA as well.
