Re: Packages getting created without signature

To: debian-mentors@lists.debian.org
Subject: Re: Packages getting created without signature
From: iluvlinux <iluvubuntu@gmail.com>
Date: Fri, 14 Dec 2007 01:46:45 -0800 (PST)
Message-id: <14332645.post@talk.nabble.com>
In-reply-to: <20071214091657.GA22645@imsc.res.in>
References: <14292654.post@talk.nabble.com> <981da8a40712120323i57209cf2h473f6642abe2516@mail.gmail.com> <14294430.post@talk.nabble.com> <20071212125856.GA12219@debian.akumar.iitm.ac.in> <14310223.post@talk.nabble.com> <14313530.post@talk.nabble.com> <200712131221.53263.cobaco@linux.be> <981da8a40712130456x7366cf43g5a88829d1973a6c@mail.gmail.com> <14331749.post@talk.nabble.com> <20071214091657.GA22645@imsc.res.in>

hi

but dpkg-buildpackage command asks for passphrase just before building the
package (at dh_builddeb ). so how can i check it with lintian etc.

Do you want that first i should build a package, check it and than use gpg
separately for signing the package?

bye


Kapil Hari Paranjape wrote:
> 
> Hello,
> 
> On Fri, 14 Dec 2007, iluvlinux wrote:
>> Storing your passphrase in a file or ENV variable is never "safe" as told
>> in
>> documents and by mentors.
> 
> True enough. Yet ...
> 
>> than here's what i found:
>> gpg's default home dir is ~/.gunpg (you can change it using --homedir
>> option, using this option will,  upto some extent provides at-least some
>> security as no one knows where your default directory is)
>> create a file gpg.conf in that folder and edit it to contain text as
>> "passphrase <your-passphrase>"
> 
> ... here you are suggesting that you store the passphrase in a file!
> 
> A much better option is to use the gpg agent.
> 
> As far as signing packages is concerned, I would recommend that you
> never do this "in the background". You need to verify the package
> *before* you sign it. Your signature on the package affirms that you
> have checked it as thoroughly as possible and are certifying this. So
> run lintian, piuparts and so on before you sign a package.
> 
> Regards,
> 
> Kapil.
> --
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-mentors-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14332645.html
Sent from the debian-mentors mailing list archive at Nabble.com.

Reply to:

Follow-Ups:
- Re: Packages getting created without signature
  - From: Colin Tuckley <colin@tuckley.org>
- Re: Packages getting created without signature
  - From: Kapil Hari Paranjape <kapil@imsc.res.in>

References:
- Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: "Michael Lamothe" <michael.lamothe@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: Kumar Appaiah <akumar@ee.iitm.ac.in>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: "cobaco (aka Bart Cornelis)" <cobaco@linux.be>
- Re: Packages getting created without signature
  - From: "Michael Lamothe" <michael.lamothe@gmail.com>
- Re: Packages getting created without signature
  - From: iluvlinux <iluvubuntu@gmail.com>
- Re: Packages getting created without signature
  - From: Kapil Hari Paranjape <kapil@imsc.res.in>

Prev by Date: Re: Packages getting created without signature
Next by Date: Re: Packages getting created without signature
Previous by thread: Re: Packages getting created without signature
Next by thread: Re: Packages getting created without signature
Index(es):
- Date
- Thread