have a GPG key
Create your new key:
gpg --gen-key
Back it up:
gpg --export-secret-keys --armor <keyid> > my_key_backup.asc
In case you need to import the backup later:
gpg --import <backup_file>
,
gpg --edit-key <keyid>
and
trust
it ultimately.
Export the public key:
gpg --export --armor <keyid> > my_pub_key.asc
If you’re going to use the key for GPG/MIME or share your signed packages with other people, you probably need publish your key:
gpg --send-key <keyid>
import into pacman
This is needed because pacman has its own keystore and own rules for trusting keys. Either you get approved as a packager for the MSYS2 project, or you have to import your key manually.
To import and sign your key with pacman-key:
-
pacman-key --add <pubkeyfile>
, or if it’s published
pacman-key --recv-keys <keyid>
-
pacman-key --lsign-key <keyid>
To make your key a trusted developer key for signing official packages, you have to get your key included in the respective keyring and get it signed by at least 3 master keys.. The package and repository for Condres Linux is condres-keyring, see https://github.com/specialworld83/condres-packages/tree/master/condres-keyring. These packages install keyring files into
/usr/share/pacman/keyrings
which then can be imported and locally signed in one batch using
pacman-key --populate <keyringname>
.
actually sign stuff
- Old packages:
gpg --detach-sign --no-armor <pkg>
for each package (all such packages need to be re-
repo-add
ed to make the database aware of the new signatures)
- New packages: just add
--signto makepkg command line or set the relatedmakepkg.confoption - Databases:
repo-add -s -v <db> <pkg>
