Hi all linux geeks,i want to develop an application that manages signing and verification of the packages.I will do that for a custom linux distribution so it doesnt use .deb or .rpm packaging managers. I want to use a public key infrastructure for that purpose,but never developed something like that.
So the person that packs the software will be able to sign the package and user that downloads it will be able to verify it s source. I searched about other distributions how do they conduct that job but couldn find anything useful. If someone have experience about that topic just post what you think please

Slackware packages are signed with gpg. So, for every package, say, package_name.tgz, there is an accompanying file named package_name.tgz.asc, which is used to certify the authenticity of the package.

The maintainer's public key is available on the official web site (or on downloaded CD-ROM images, etc). Once the public key is imported (gpg --import key_file), packages are verified with gpg --verify package_name.tgz.asc.

Thanks for the reply, i think to store the signature into the package itself,i dont know if it is a good idea or not but seems to me more packed. I dont want to use gpg i want to make that with python. So my plan is like that : for signing

1)Compute all the digests of the files that are inthe package (md5 or sha1) and store into a file
2) Sign that file (private key ) with digests with RSA or something like that

For verification :

1) User imports the public key of the signer
2) Decrypts the file with digests
3) Computes the all digests of the files with md5 or sha1 and compares if all are same the package is verified

It may seems stupid if someone has some ideas to improve it please tell me