Re: Packages getting created without signature
On Fri, 14 Dec 2007, iluvlinux wrote:
> Storing your passphrase in a file or ENV variable is never "safe" as told in
> documents and by mentors.
True enough. Yet ...
> than here's what i found:
> gpg's default home dir is ~/.gunpg (you can change it using --homedir
> option, using this option will, upto some extent provides at-least some
> security as no one knows where your default directory is)
> create a file gpg.conf in that folder and edit it to contain text as
> "passphrase <your-passphrase>"
... here you are suggesting that you store the passphrase in a file!
A much better option is to use the gpg agent.
As far as signing packages is concerned, I would recommend that you
never do this "in the background". You need to verify the package
*before* you sign it. Your signature on the package affirms that you
have checked it as thoroughly as possible and are certifying this. So
run lintian, piuparts and so on before you sign a package.