Signing packages without violating restrictions/laws

Rainer Müller raimue at
Tue Apr 19 02:44:19 PDT 2016

On 2016-04-18 22:12, Mojca Miklavec wrote:
> I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages. On the other hand I have problems
> believing that this problem really cannot be solved ... MacPorts
> apparently solved it.

To avoid the dependency on GnuPG, MacPorts uses a simpler, custom
signing mechanism. It is based on 'openssl dgst -sign' and currently
limited to rmd160 hashes only. This makes it less flexible than using
all the features of the OpenPGP format, but fits our needs. The steps on
how to sign an archive for MacPorts are described in SharingArchives2 [1].



More information about the macports-dev mailing list