On 2016-04-18 22:12, Mojca Miklavec wrote: > I have a problem understanding those rules because we are not dealing > with encrypted information, but merely use the same algorithms to > verify authenticity of the packages. On the other hand I have problems > believing that this problem really cannot be solved ... MacPorts > apparently solved it.
To avoid the dependency on GnuPG, MacPorts uses a simpler, custom signing mechanism. It is based on 'openssl dgst -sign' and currently limited to rmd160 hashes only. This makes it less flexible than using all the features of the OpenPGP format, but fits our needs. The steps on how to sign an archive for MacPorts are described in SharingArchives2 [1]. Rainer [1] https://trac.macports.org/wiki/howto/ShareArchives2 _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev