2017-08-07 23:25 UTC
  • Xyne


Description: Easily create signed Pacman package repositories.
Latest Version: 2016.2
Source Code: src/
  • any
Arch Repositories:
  • [xyne-any]
  • [xyne-i686]
  • [xyne-x86_64]
AUR Page: repo-add_and_sign
Arch Forum Thread: 145763


repo-add_and_sign is a Python 3 script that wraps gpg, repo-add and repo-remove to batch-sign packages and generate signed repositories. The script will only prompt for a passphrase once and will not leave any keyring agents running. See the FAQ below.


Why not sign with makepkg and repo-add?

To use those options you either need to enter a passphrase for each file, which is very tedious, or you need to run a keyring agent in the background. Unless you are constantly signing things, the agent is unnecessary most of the time. It is also a security risk because anyone who can get access to your system would be able to use your key while the agent is running.

How do I generate a key?

Short answer: gpg --gen-key

Long answer: GPGMiniHowto.

If you had to ask, I suggest at least skimming the documentation.

Help Message

$ repo-add_and_sign --help

usage: repo-add_and_sign [-h] [-r <name>] [-e <extension>] [-a <architecture>]
                         [-o <path>] [--no-sign] [--copy] [--purge]
                         [--verbose] [-u <GPG UID>]
                         <pkg path> [<pkg path> ...]

Generate a signed repo for some packages.

optional arguments:
  -h, --help            show this help message and exit

Repo Options:
  <pkg path>            The packages to include in the repo. Use the "--arch"
                        option if you need to filter the input paths.
  -r <name>, --repo <name>
                        The name of the repo to create.
  -e <extension>, --archive-ext <extension>
                        The database archive extension. Default: ".tar.xz"
  -a <architecture>, --arch <architecture>
                        Filter the input files by architecture compatibility,
                        e.g. "--arch x86_64" will only include "x86_64" and
                        "any" packages. This is useful when generating a repo
                        from a pool of packages.
  -o <path>, --out <path>
                        The output directory in which to create the repo.
                        Defaults to the current directory.
  --no-sign             Do not sign packages and databases.
  --copy                Copy extradirectorial packages instead of symlinking
  --purge               Purge older versions of packages and databases.
  --verbose             Increase verbosity when running commands.

GPG Options:
  -u <GPG UID>, --uid <GPG UID>
                        The user ID of the signing key. This option accepts
                        anything that can be passed to gpg's "-u" option.


GPG Signing

For signing you will need to add allow-loopback-pinentry to ~/.gnupg/gpg-agent.conf.



  • added --copy option as suggested by mortbauer from the Arch Linux forums


  • improved checking of signature modification times to ensure consistency


  • added --verbose option
  • delete matching signatures when purging old packages
echo | sed 's/\./@/'
Blog News
XHTML 1.0 Strict CSS level 3 Atom 1.0