[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

using GnuPG to sign packages?

I'm sure this is a FAQ but I haven't found it addressed anywhere I've
looked so far.  (Using Glimpse to search the mailing lists on
debian.org has only rarely if ever got me anywhere.  And I only
recently subscribed to debian-devel.)

I'm wondering if it's okay to use GnuPG to sign Debian packages[1]
rather than PGP, especially in conjunction with dpkg-buildpackage. 

Do I need to use a recent version of GnuPG?

Do I need to alias or symlink it to /usr/local/bin/pgp or something
(command line opts)?

Should I be aware of any special key requirements (type/version)
other than >=1024k size?

What's a good way to go about geting my key signed by someone else
(especially someone affiliated with Debian?)  Just kinda get to know
some people?

These questions are pressing in my mind, and I thank you for an



[1] This is both for packages for my own internal use[2] and I am
thinking about packaging some other software for the project,
including a MGE brand UPS power daemon and GnomeICU, an ICQ clone.
Neither of which I wrote, but I am developing my own software[3] that
could be packaged when released.

[2] Erm, in case villians break into my system and erm, mess with my
archives and erm, do other unspecified bad things.

[3] Mostly web related stuff in Python[4], including a slash clone and a
thingie dealing with search engines.

[4] ObExcessiveFootnoting: "Bread!  Apples!  Very small rocks!  Great
Gravy! Cider!  Lead!  Mud!  Churches!  A Duck!  Oooooh..."

Reply to: