On Tue, Sep 11, 2018 at 12:29:11PM +0000, Edward Lopez-Acosta wrote: > Wasn't sure if this was better posted here or in misc@, but seemed relevant > to port authors. > > Understandably package signing should be on an air gapped system, but > pkg_sign allows for passhrases on keys. However, it doesn't seem to remember > the passphrase if multiple packages are provided.
This is by design in signify... You'd have to convince tedu@ to change that. > Even if air gapped I feel like a passphrase on a key is a good idea but it > makes bulk signing a pain. You could keep the secret key encrypted, decrypt it before you sign everything and rm the clear file once you're done. openssl(1) has a variety of algorithms you can use for that. Reasonably easy to script.
