Re: [alpine-devel] abuild signing using GnuPG

Jose-Luis Rivas
Message ID
Sender timestamp
DKIM signature
Download raw message
On 21/05/16, 12:54pm, timo.teras@gmail.com wrote:
> Hi,
> On Sat May 21 15:00:35 2016 GMT+0300, Sander Maijers wrote:
> > Hi all,
> > 
> > Is this possible?
> Not currently out of box.
> Verifying gpg signatures of source tarballs would be useful. That could be done manually in unpack or prepare hook. But supporting it directly would be useful.
> The built packages are signed with rsa signatures. We are looking to support ecdsa / eddsa signatures also. Since the package signatures are essential part of the package manager, having them gpg signed does not make much sense imho.

Why would not make much sense?

Debian ships a keyring package with then is used to check that
signatures are valid, just like alpine ships /etc/apk/keys

Same thing, different technology, afaict.

⨳ PGP 0x13EC43EEB9AC8C43 ⨳ https://ghostbar.co

Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org