[dev] Signing Packages
Mathieu Parent
math.parent at gmail.com
Fri Oct 18 10:40:12 UTC 2013
Hi,
2013/10/17 Michael M Slusarz <slusarz at horde.org>:
> For security reasons, we should be signing our packages. This is easily
> done via 'pear sign [packagefile]'.
>
> Granted, there isn't any easy utility to *verify* the signature (at least in
> PEAR itself). But wouldn't hurt to be doing this going forward.
This is very important for us packagers (me=Debian packager).
> FYI: The signature is based on the package.xml file. So verifying is done
> by:
> gpg --verify package.sig package.xml
But what will be the trusted signing keys?
--
Mathieu
More information about the dev
mailing list