[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some questions related to signing

On Tue, Apr 24, 2012 at 10:13 AM, Christopher Howard wrote:

> * I make binary deb packages available for my projects from my Web site,
> but I also wanted to make the deb source files available, so that people
> can wrap their own binary debs for other architectures. I know that they
> need the *.orig.tar.gz file, the *.dsc file, and the *.debian.tar.gz
> file. However, what are the relevance of the *.changes files?

The changes files are only used for making changes to an apt
repository and most people running an apt repository aren't using
anything that uses .changes to make changes to the repository. It is
likely that the .changes file is irrelevant for your case.

> * I haven't been signing the source files, because my code signing keys
> are on a separate system, which happens to be a non-debian system. I
> understand that the "debsign" program is for this purpose. Is debsign
> it's own project, or is it part of some other package? (So I can
> download it to my non-debian system.) Also, relating to the previous
> question: do I need debsign (for adjusting the changes files as well) or
> is it enough to run some gpg signing command on the .dsc file?

debsign is part of the devscripts package and seems fairly
self-contained. You can also always run gpg manually with the
--clearsign option.



Reply to: