Signing Packages
[ rough draft ]
Have a GPG key
Create your new key:
gpg --gen-key
more... [ TBD: how strong should the key be? ]
Back it up:
gpg --export-secret-keys --armor <keyid> > my_key_backup.asc
more...
In case you need to import the backup later:
gpg --import <backup_file>, gpg --edit-key <keyid> and trust it ultimately.
Export the public key:
gpg --export --armor <keyid> > my_pub_key.asc
If you're going to use the key for GPG/MIME or share your signed packages with other people, you probably need publish your key:
gpg --send-key <keyid>
more...
Import into pacman
This is needed because pacman has its own keystore and own rules for trusting keys. Either you get approved as a packager for the MSYS2 project, or you have to import your key manually.
To import and sign your key with pacman-key:
pacman-key --add <pubkeyfile>, or if it's publishedpacman-key --recv-keys <keyid>pacman-key --lsign-key <keyid>more...
To make your key a trusted developer key for signing official packages, you have to get your key included in the respective keyring and get it signed by at least 3 master keys. The package and repository is msys2-keyring for MSYS2, see Alexpux/msys2-keyring. The package and repository for Arch Linux is archlinux-keyring, see https://projects.archlinux.org/archlinux-keyring.git/. These packages install keyring files into /usr/share/pacman/keyrings which then can be imported and locally signed in one batch using pacman-key --populate <keyringname>.
Actually sign stuff
- Old packages:
gpg --detach-sign --no-armor <pkg>for each package (all such packages need to be re-repo-added to make the database aware of the new signatures) - New packages: just add
--signto makepkg command line or set the relatedmakepkg.confoption - Databases:
repo-add -s -v <db> <pkg>