Am Montag, den 18.06.2007, 10:51 +0200 schrieb Michael Schroeder:
On Mon, Jun 18, 2007 at 10:33:58AM +0200, Stephan Hermann wrote:
1. Signing the packages with the maintainers/uploaders (for sponsoring uploads) key (normally done via debsign or debuild) 2. Signing the Release file for official repositories (see e.g. http://archive.ubuntu.com/ubuntu/dists/feisty/Release and http://archive.ubuntu.com/ubuntu/dists/feisty/Release.gpg)
Seems like we should also genreate a "Release" file in the build service, not just a "Packages" file. True? (But what would be the "Version" entry in the Release file?)
Well, 1.0 just in case ;)
The second signing is easy, I think it's the same for all distros, doesn't matter if it's rpm or deb.
The first signing is different. I know in the spec file there is the possibility of signing the resulting packages too, but I don't know if it's handled like in debian.
Yes, there is dpkg-sig and debsign. What't the "official" tool for signing a binary package? Or is it yet undecided?
Depends on what you upload. Source uploads are done this way: You need a signed .dsc file and a signed *_source.changes file For binary only uploads you need: a signed _i386.changes file The official tool is always debsign, you can feed .dsc files, and .changes files and .command files. Regards, \sh -- Stephan Hermann eMail: sh@sourcecode.de Blog: http://linux.blogweb.de/ JID: sh@linux-server.org OSS-Developer and Admin --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org