It used to make some kind of sense when pkg_create could indeed create the signed package in one pass.
Now, the new signing mode means you have to build the package and copy it anyway. Heck, the code is not even inside pkg_sign proper, pkg_sign is going to become a shell that just keeps the "run things in parallel thingie". As for personal use, there's often little sense in signing your own packages. If you stream them on a private network, nobody can read them. If you stream them over the internet, you can probably use scp fairly often. Production systems did do after-the-fact signing. Especially since creating packages no longer requires root (the official packages never used SIGNING_PARAMETERS). Signing packages requires access to the private key, something that is best completely separated from building the packages... (paranoia ? err, we're talking about signing packages there. OF COURSE you have to be paranoid) I'm actually surprised that a few people were using SIGNING_PARAMETERS. I don't think it's going to be complicated to move to pkg_sign. The final switch is going to happen reasonably soon... as soon as all the production machines know about new signing, which gives me yet a few more days to run a few more tests.
