PackageSigning

Joel Roth edited this page Apr 30, 2017 · 2 revisions

QuickStart

First you need to create a pair of GPG keys. A nice GUI tool for this is KGpg. This is included with recent KDE-Utils.

If you haven't used KGpg before, execing kgpg starts the "KGpg Wizard". Follow the instructions to generate your key pair. Suggestions for key length and other properties? I've used the default settings: 1024 and DSA/ElGamal.

After the wizard, export your public key to a file. Use "KeyManager --import key.asc" to import the public key to Gobo's system keyring.

Now you can use "CreatePackage --sign" and SignProgram to create signed packages and /Programs.

Overview

Private keys are kept in the users /.gnupg/keyrings. Public keys, used for verification, are kept in /Programs/Scripts/Current/Data/gpg/goboring.gpg.

Resources/FileHash is a text file containing the md5sums for each file.

Resources/FileHash.sig is the gpg signature for FileHash.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.