On Mon, Jun 18, 2007 at 10:33:58AM +0200, Stephan Hermann wrote:
- Signing the packages with the maintainers/uploaders (for sponsoring
uploads) key (normally done via debsign or debuild) 2. Signing the Release file for official repositories (see e.g. http://archive.ubuntu.com/ubuntu/dists/feisty/Release and http://archive.ubuntu.com/ubuntu/dists/feisty/Release.gpg)
Seems like we should also genreate a "Release" file in the build service, not just a "Packages" file. True? (But what would be the "Version" entry in the Release file?)
The second signing is easy, I think it's the same for all distros, doesn't matter if it's rpm or deb.
The first signing is different. I know in the spec file there is the possibility of signing the resulting packages too, but I don't know if it's handled like in debian.
Yes, there is dpkg-sig and debsign. What't the "official" tool for signing a binary package? Or is it yet undecided?
Thanks, Michael.