While Stack will help you sign a single package while uploading or creating an sdist tarball, sig-tool will assist you in signing all of your Hackage packages in bulk. It works with Hackage to download your packages and then signs each of them with OpenPGP (GnuPG) and pushes those signatures to sig-service & sig-archive.
stack install sig-tool
-
GPG Keys
First you need to make sure you have a valid GPG key with which to sign packages. Refer to the FPCO Blog Post on creating an offline-master-key GPG key set.
-
Cabal Install
This tool leverages the command line tool `cabal-install`. If you don't have it already just issue a `stack install cabal-install`.
`sig-tool setup ` will download all your packages from Hackage and write a manifest file with all their SHA256 sums. Stack users may find it easier to run `stack exec – sig-tool setup ` so that GHC is in your PATH.
The tool stops after `setup` so you can unpack & view your release tarballs. You can also decide to trim out any packages you aren't interested in signing by simply remove them from the manifest file.
After you are finished inspecting your packages & trimming the manifest (if needed) run `sig-tool sign` to sign all your packages.