On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge <conc...@gentoo.org> wrote: > > so looks like we need to combine both methods and do the following: > > - if signing requested without compression - sign in pkg_preinst. > > - if signing requested with compression - sign in src_install > > > > Why can't we do both in pkg_preinst? I am thinking it would be best if > we drop the current compression implementation and rework your old code > to handle both compression and signing since the signing code is more or > less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That means you need to copy your private keys around to every host where the package might be installed. If you sign in src_compile or src_install, you only need private keys on the system building your binpkg.