Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On 31 October 2011 02:06, Florian Pritz bluew...@xinu.at wrote: So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. Did something change WRT this workflow now? I'm getting signature-incorrect from commitpkg. I did sign like this 2 times before (opencv and cinelerra-cv), so it did work recently. gpg --verify outputs: gpg: Can't check signature: public key not found But this is normal, and the public key was not there for the previous 2 times. Or was gpg --verify not there in commitpkg before? Do I now need to import my public key on alderaan? -- GPG/PGP ID: C0711BF1
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif sc...@archlinux.org wrote: On 31 October 2011 02:06, Florian Pritz bluew...@xinu.at wrote: So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. Did something change WRT this workflow now? I'm getting signature-incorrect from commitpkg. I did sign like this 2 times before (opencv and cinelerra-cv), so it did work recently. gpg --verify outputs: gpg: Can't check signature: public key not found But this is normal, and the public key was not there for the previous 2 times. Or was gpg --verify not there in commitpkg before? Do I now need to import my public key on alderaan? Is your key in your keychain on alderaan? Probably not from what this looks like. Easy to check- `gpg --list-keys 0xfoobar`. -Dan
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On 12 November 2011 07:35, Dan McGee dpmc...@gmail.com wrote: On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif sc...@archlinux.org wrote: On 31 October 2011 02:06, Florian Pritz bluew...@xinu.at wrote: So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. Did something change WRT this workflow now? I'm getting signature-incorrect from commitpkg. I did sign like this 2 times before (opencv and cinelerra-cv), so it did work recently. gpg --verify outputs: gpg: Can't check signature: public key not found But this is normal, and the public key was not there for the previous 2 times. Or was gpg --verify not there in commitpkg before? Do I now need to import my public key on alderaan? Is your key in your keychain on alderaan? Probably not from what this looks like. Easy to check- `gpg --list-keys 0xfoobar`. -Dan Nope. That was what I was asking - whether I need to add it. The last 2 times that I pushed signed packages from alderaan I didn't do anything gpg-related remotely. Anyway, imported the key now so all is good again. -- GPG/PGP ID: C0711BF1
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On 30.10.2011 18:56, Daniel Isenmann wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html -- Florian Pritz signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On Sun, 30 Oct 2011 19:06:21 +0100 Florian Pritz bluew...@xinu.at wrote: On 30.10.2011 18:56, Daniel Isenmann wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html Kerrick Staley last comment [1] on this thread was that they will go with the hash-signing implementation. But it seems that there is nothing new on this topic. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html