[dev] Signing Packages
Jan Schneider
jan at horde.org
Fri Oct 18 15:56:36 UTC 2013
Zitat von Mathieu Parent <math.parent at gmail.com>:
> Hi,
>
> 2013/10/17 Michael M Slusarz <slusarz at horde.org>:
>> For security reasons, we should be signing our packages. This is easily
>> done via 'pear sign [packagefile]'.
>>
>> Granted, there isn't any easy utility to *verify* the signature (at least in
>> PEAR itself). But wouldn't hurt to be doing this going forward.
And there probably won't ever be such a feature in PEAR itself, since
development has essentially stalled. But I agree it won't hurt either.
> This is very important for us packagers (me=Debian packager).
>
>> FYI: The signature is based on the package.xml file. So verifying is done
>> by:
>> gpg --verify package.sig package.xml
>
> But what will be the trusted signing keys?
Good question. This could be either personal developer keys that
include horde.org identities, or a single build key for the whole
project. I slightly prefer the former, because sharing a private key
among developers is always problematic if you don't have a central
build infrastructure.
--
Jan Schneider
The Horde Project
http://www.horde.org/
More information about the dev
mailing list