Releasing 2.0.3
Anders F Björklund
afb at macports.org
Tue Sep 6 02:35:31 PDT 2011
Rainer Müller wrote:
>>> They are detached signatures created with GnuPG:
>>>
>>> gpg --armor --detach-sign MacPorts-2.0.3-10.5-Leopard.dmg
>>>
>>> Of course this requires a previous set up of a PGP key which would be
>>> quite useless without signatures proofing your identify.
>>
>> Wouldn't you also need GnuPG, in order to verify it ?
>>
>> Like, before installing MacPorts.
>
> Well, this is exactly the reason it's not a mandatory step documented in the ReleaseProcess as it has known problems.
>
> As an alternative, we could create detached rmd160 signatures using openssl as we do for the packages now. But you would need a public key to verify them. That key needs to be verified as well against a known authority (which?). Where should we publish it?
>
> I don't know any good solution for this.
Me neither, I'm using /usr/local/bin/gpg* here...
(and then gpg --recv-key --keyserver pgp.mit.edu)
But it has a GPLv3+ license.
--anders
* from http://afb.users.sourceforge.net/zero-install/GnuPG.pkg
(originally I was using http://macgpg.sourceforge.net/ but)
More information about the macports-dev
mailing list