How to locally sign a package that has been built on another machine?

To: debian-mentors@lists.debian.org
Subject: How to locally sign a package that has been built on another machine?
From: Marc Haber <debian-mentors.lists.debian.org@marc-haber.de>
Date: Mon, 07 May 2001 17:02:39 +0200
Message-id: <E14wmX5-0003v0-00@mailrelay.planNET.de>

Hi,

my personal workstation is little more than an X terminal, while I do
most of my work on a central box where my home directory is located.
Thus, I build my packages on that central box as well. Naturally, I
don't intend to put my GPG key on that central machine and keep it on
the local hard disk of my personal workstation.

Now, how do I sign my Debian packages with that setup? Do I see it
correctly that it is the .dsc file for the source and the .changes
file for the binary package that get signed, pinning the MD5 sums of
the package files to my e-mail address?

Is this straightforward as running gpg --clearsign --armor on the
.changes and .dsc file, renaming the resulting *.changes.asc and
*.dsc.asc to *.changes and *.dsc as dpkg-buildpackage suggests?

Is this:
|-----BEGIN PGP SIGNED MESSAGE-----
|Hash: SHA1
|
|Format: 1.6
|Date: Mon,  7 May 2001 16:18:42 +0200
|Source: run
|Binary: run
|Architecture: source i386
|Version: 0.9.2-6
|Distribution: unstable
|Urgency: low
|Maintainer: Marc Haber <mh+debian-packages@zugschlus.de>
|Description:
| run        - Watch programs and restart them if they die
|Changes:
| run (0.9.2-6) unstable; urgency=low
| .
|   * fixed -d description in manpage (closes: Bug #85100)
|   * minor fixes in the upstream code's interprocess communication
|   * added Build-Depends:
|   * Changed maintainer address
|   * bumped Standards-Version to 3.5.2
|   * removed debian/*.ex
|   * learned to invoke lintian not on the .deb, but on .changes. duh.
|Files:
| e79b7aeadbdbd2baa509b6ed965da74b 336 admin optional run_0.9.2-6.dsc
| 5c3e9908a580d2194614157cace23cf6 3751 admin optional run_0.9.2-6.diff.gz
| 6a69c01c47249dc3805ac298faada64b 13850 admin optional run_0.9.2-6_i386.deb
|-----BEGIN PGP SIGNATURE-----
|Version: GnuPG v1.0.4 (GNU/Linux)
|Comment: For info see http://www.gnupg.org
|
|iD8DBQE69rh3gZalRGu6PIQRApnRAJ9sSi+8WQEVhyPNA1kmhtnGfhvbQACgkCjO
|c5gxk7QPvwzU06cD1htRm58=
|=xkYi
|-----END PGP SIGNATURE-----

a validly signed .changes file?

Any hints will be appreciated.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Reply to:

Follow-Ups:
- Re: How to locally sign a package that has been built on another machine?
  - From: dennis@cobolt.net (Dennis Schoen)
- Re: How to locally sign a package that has been built on another machine?
  - From: Peter S Galbraith <GalbraithP@dfo-mpo.gc.ca>

Prev by Date: Re: How can I do with gpg key uplopad?
Next by Date: Re: How to locally sign a package that has been built on another machine?
Previous by thread: Re: How can I do with gpg key uplopad?
Next by thread: Re: How to locally sign a package that has been built on another machine?
Index(es):
- Date
- Thread