Re: Packages getting created without signature
but dpkg-buildpackage command asks for passphrase just before building the
package (at dh_builddeb ). so how can i check it with lintian etc.
Do you want that first i should build a package, check it and than use gpg
separately for signing the package?
Kapil Hari Paranjape wrote:
> On Fri, 14 Dec 2007, iluvlinux wrote:
>> Storing your passphrase in a file or ENV variable is never "safe" as told
>> documents and by mentors.
> True enough. Yet ...
>> than here's what i found:
>> gpg's default home dir is ~/.gunpg (you can change it using --homedir
>> option, using this option will, upto some extent provides at-least some
>> security as no one knows where your default directory is)
>> create a file gpg.conf in that folder and edit it to contain text as
>> "passphrase <your-passphrase>"
> ... here you are suggesting that you store the passphrase in a file!
> A much better option is to use the gpg agent.
> As far as signing packages is concerned, I would recommend that you
> never do this "in the background". You need to verify the package
> *before* you sign it. Your signature on the package affirms that you
> have checked it as thoroughly as possible and are certifying this. So
> run lintian, piuparts and so on before you sign a package.
> To UNSUBSCRIBE, email to debian-mentors-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14332645.html
Sent from the debian-mentors mailing list archive at Nabble.com.