[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Separate GPG subkey for package signing



Good afternoon,

I am not sure, this is the right forum and the right question at all, but I'll assume it is, and take my chances - if it turns out to be a wrong assumption, I do apologise in advance. ;)

I bumped into a piece of software I needed on my server(s) and I figured I'd rather package it up instead of compiling it in place to avoid having a complier installed. Coincidentally it's been on the ITP/RFP list for ages, so I figured if I jump through all the hoops and learn how to create .deb packages, I might as well be a nice person and get it all the way into Debian.

The package builds fine locally using pbuilder for several architectures. I do believe all the other niceties are included (man page, etc.). I am at the stage where it says: "sign and upload the package to mentors.debian.org".

I thought, I'll create a separate subkey for signing the package (and keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is there something I can't see here?

Regards,
Daniel

Reply to: