repo-add_and_sign

Metadata
About
FAQ
- Why not sign with makepkg and repo-add?
- How do I generate a key?
Help Message
README
- GPG Signing
CHANGELOG

repo-add_and_sign

2017-05-15 05:55 UTC

Xyne

Metadata

Description:	Easily create signed Pacman package repositories.
Latest Version:	2016.2
Source Code:	src/
Architecture:	any
Dependencies:	pyalpm python3 python3-gpg_batch_sign
Arch Repositories:	[xyne-any] [xyne-i686] [xyne-x86_64]
AUR Page:	repo-add_and_sign
Arch Forum Thread:	145763
Tags:	arch linux pacman

About

repo-add_and_sign is a Python 3 script that wraps gpg, repo-add and repo-remove to batch-sign packages and generate signed repositories. The script will only prompt for a passphrase once and will not leave any keyring agents running. See the FAQ below.

FAQ

Why not sign with `makepkg` and `repo-add`?

To use those options you either need to enter a passphrase for each file, which is very tedious, or you need to run a keyring agent in the background. Unless you are constantly signing things, the agent is unnecessary most of the time. It is also a security risk because anyone who can get access to your system would be able to use your key while the agent is running.

How do I generate a key?

Short answer: gpg --gen-key

Long answer: GPGMiniHowto.

If you had to ask, I suggest at least skimming the documentation.

Help Message

$ repo-add_and_sign --help

usage: repo-add_and_sign [-h] [-r <name>] [-e <extension>] [-a <architecture>]
                         [-o <path>] [--no-sign] [--copy] [--purge]
                         [--verbose] [-u <GPG UID>]
                         <pkg path> [<pkg path> ...]

Generate a signed repo for some packages.

optional arguments:
  -h, --help            show this help message and exit

Repo Options:
  <pkg path>            The packages to include in the repo. Use the "--arch"
                        option if you need to filter the input paths.
  -r <name>, --repo <name>
                        The name of the repo to create.
  -e <extension>, --archive-ext <extension>
                        The database archive extension. Default: ".tar.xz"
  -a <architecture>, --arch <architecture>
                        Filter the input files by architecture compatibility,
                        e.g. "--arch x86_64" will only include "x86_64" and
                        "any" packages. This is useful when generating a repo
                        from a pool of packages.
  -o <path>, --out <path>
                        The output directory in which to create the repo.
                        Defaults to the current directory.
  --no-sign             Do not sign packages and databases.
  --copy                Copy extradirectorial packages instead of symlinking
                        them.
  --purge               Purge older versions of packages and databases.
  --verbose             Increase verbosity when running commands.

GPG Options:
  -u <GPG UID>, --uid <GPG UID>
                        The user ID of the signing key. This option accepts
                        anything that can be passed to gpg's "-u" option.

README

GPG Signing

For signing you will need to add allow-loopback-pinentry to ~/.gnupg/gpg-agent.conf.

CHANGELOG

2014-05-17

added --copy option as suggested by mortbauer from the Arch Linux forums

2013-01-31

improved checking of signature modification times to ensure consistency

2013-01-01

added --verbose option
delete matching signatures when purging old packages

Contact: echo xyne.archlinux.ca | sed 's/\./@/'
Feeds: Blog News
Validation: XHTML 1.0 Strict CSS level 3 Atom 1.0