On 17 July 2015 at 22:34, Andrew Savchenko <birc...@gentoo.org> wrote: > 2. Add an optional feature to emerge (or even to PMS?) allowing user > to provide a usable GPG key for signing packages CONTENTS files > after its generation. In order for such key to be usable during > emerge run, gpg-agent should be used; alternatively it may be > allowed to sign already installed packages on a trusted system. > 3. Of course backward compatibility with old CONTENTS format should > be kept.
To keep things simple, I'd suggest storing the signature externally to the CONTENTS file. This would be more convenient for any tools that are trying to scrape the CONTENTS files with regex/grep not needing to first unwrap them. ( Not to mention trivial to determine which packages have signatures without needing to actually read the files ) Though, seeing we're going down this road, you could sign the whole vdb dir. -- Kent KENTNL - https://metacpan.org/author/KENTNL
