On 12 November 2011 08:04, Ionut Biru <[email protected]> wrote: > On 11/12/2011 01:59 AM, Dan McGee wrote: >> On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru <[email protected]> wrote: >>> On 11/12/2011 01:43 AM, Ray Rashif wrote: >>>> On 12 November 2011 07:35, Dan McGee <[email protected]> wrote: >>>>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <[email protected]> wrote: >>>>>> On 31 October 2011 02:06, Florian Pritz <[email protected]> wrote: >>>>>>> So far the only solution is to download the finished package, sign it >>>>>>> locally using gpg --detach-sign <file> and then uploading the signature >>>>>>> back to pkgbuild.com so commitpkg will find it. >>>>>> >>>>>> Did something change WRT this workflow now? I'm getting >>>>>> signature-incorrect from commitpkg. I did sign like this 2 times >>>>>> before (opencv and cinelerra-cv), so it did work recently. gpg >>>>>> --verify outputs: >>>>>> >>>>>> gpg: Can't check signature: public key not found >>>>>> >>>>>> But this is normal, and the public key was not there for the previous >>>>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now >>>>>> need to import my public key on alderaan? >>>>> >>>>> Is your key in your keychain on alderaan? Probably not from what this >>>>> looks like. Easy to check- `gpg --list-keys 0xfoobar`. >>>>> >>>>> -Dan >>>>> >>>> >>>> Nope. That was what I was asking - whether I need to add it. The last >>>> 2 times that I pushed signed packages from alderaan I didn't do >>>> anything gpg-related remotely. >>>> >>>> Anyway, imported the key now so all is good again. >>>> >>>> >>>> -- >>>> GPG/PGP ID: C0711BF1 >>> >>> don't import any key on alderaan. >> >> Hmm? >> >> He is trying to *verify*, meaning he needs his *public* key. This has >> nothing to do with signing or private keys. It make a heck of a lot >> more sense bandwidth-wise for him to upload the signature file to >> alderaan than upload both the package and signature from his local >> machine, so why should he not be able to do that? The `gpg --verify` >> call is there to make sure developers don't accidentally upload >> mismatched packages and corresponding signature files, which could >> easily happen when doing test builds and --nosign, etc. >> >> -Dan > > > well, i understood that he signed the package on alderaan...
Then you misunderstood. My reply to the topic meant I was referring to the only workaround to "sign packages on alderaan", which is to build, download packages, sign locally, upload signatures, and then push wholesale. I followed that process on 2 previous occasions and there was no complaint even when there was no public key on the remote machine, but this time commitpkg complained about the signatures. So I only wanted to know whether I did anything wrong. Anyway, it's now evident that the verification was not there before. Importing a public key poses no risk (done with --recv-keys), so there is also no need to change anything in commitpkg. -- GPG/PGP ID: C0711BF1
