Mail archive

Re: [alpine-devel] abuild signing using GnuPG

From: Jose-Luis Rivas <>
Date: Sat, 21 May 2016 10:58:18 -0400

On 21/05/16, 12:54pm, wrote:
> Hi,
> On Sat May 21 15:00:35 2016 GMT+0300, Sander Maijers wrote:
> > Hi all,
> >
> > Is this possible?
> Not currently out of box.
> Verifying gpg signatures of source tarballs would be useful. That could be done manually in unpack or prepare hook. But supporting it directly would be useful.
> The built packages are signed with rsa signatures. We are looking to support ecdsa / eddsa signatures also. Since the package signatures are essential part of the package manager, having them gpg signed does not make much sense imho.

Why would not make much sense?

Debian ships a keyring package with then is used to check that
signatures are valid, just like alpine ships /etc/apk/keys

Same thing, different technology, afaict.

⨳ PGP 0x13EC43EEB9AC8C43 ⨳
Received on Sat May 21 2016 - 10:58:18 GMT