On Tue, 2016-10-18 at 23:34 +0200, Ansgar Burchardt wrote: > Ben Hutchings writes: > > On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote: > > > Is there any documentation how this is supposed to work? > > > > > > Nothing comprehensive as yet. Where should it go? > > > It doesn't need to be comprehensive. I just would like to understand > what needs to happen. [...]
In brief: 1. A first source package (grub, linux, etc.) builds byhand tarballs containing all the files that need signing, in addition to the usual binary packages. 2. The byhand script on dak unpacks the tarball, generates detached signatures using the appropriate key(s) and publishes another tarball containing those signatures. 3. The maintainer prepares a second source package (grub-signed, linux- signed, etc.) containing the detached signatures. It build-depends on the unsigned binary packages produces by the first source package, and builds signed binary packages based on them. I hope that answers all your questions. Ben. -- Ben Hutchings To err is human; to really foul things up requires a computer.
Description: This is a digitally signed message part