Quote:
Originally Posted by hollywoodb
I've a few packages I use for Fedora that aren't available from the official repos or livna, so I decided to make a public repository.
I've set up the repo, have the -release.rpm to get it set up, but I can't seem to find any information on how to gpg sign packages and enable gpg encryption via the repo file.
Is there a definitive doc or howto on this, or is it trivial enough to be explained here?
FWIW: repo @ http://rpm.offbeatlounge.com
|
You should have an understanding of what public key crypto is and how to use the gpg command line. A couple of nice pages that everybody refers to are
http://www.mccune.cc/PGP.htm
http://www.rossde.com/PGP/
But this is a lot of reading.
It's very simple to sign anything. The steps are
1 Create your signing key(s)
2 Upload your keys to key servers and/or publish them on your web page
3 Create a detached signature for each package you want to sign and make it available for download with the package
Signing just guarantees whoever downloads the package that it's the package *you* created. It proves it didn't get changed by anybody and that it downloaded exactly correctly without errors.
I don't think you want to encrypt anything.