Releasing 2.0.3
Rainer Müller
raimue at macports.org
Tue Sep 6 02:24:06 PDT 2011
On 09/06/2011 10:06 AM, Anders F Björklund wrote:
> Rainer Müller wrote:
>> They are detached signatures created with GnuPG:
>>
>> gpg --armor --detach-sign MacPorts-2.0.3-10.5-Leopard.dmg
>>
>> Of course this requires a previous set up of a PGP key which would be
>> quite useless without signatures proofing your identify.
>
> Wouldn't you also need GnuPG, in order to verify it ?
>
> Like, before installing MacPorts.
Well, this is exactly the reason it's not a mandatory step documented in
the ReleaseProcess as it has known problems.
As an alternative, we could create detached rmd160 signatures using
openssl as we do for the packages now. But you would need a public key
to verify them. That key needs to be verified as well against a known
authority (which?). Where should we publish it?
I don't know any good solution for this.
Rainer
More information about the macports-dev
mailing list