Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinetrue
stylenone

Background

Software distributed thru XSEDE repositories must be signed so that consumers can verify the source.

This page documents how to sign software packages.

XSEDE developer signature

Every developer placing packages in the development repository must sign them with a personal signing (ONLY) key pair created as shown below. Keys must be 2048 or 4096 bits long (4096 recommended), expire in 2 years or less (730 days), and use a SHA2 (SHA256 recommended) digest. 

...

to XSEDE repository administrators thru an XSEDE ticket. Once the administrators have verified that your request is from you they will add you key to the list of XSEDE recognized developers so that others can verify that you produced the package. 

How to sign RPMs

rpm --add-sign <package>.rpm

How to sign TARs

gpg --output <package>.sig --detach-sig <package>.{tar,tgz}

Signature Creation

The following process was used to generate XSEDE's software signature: 

...

[xsedesig@software ~]$ gpg --list-keys
/home/xsedesig/.gnupg/pubring.gpg
---------------------------------
pub   4096R/20423DBB 2014-01-31
uid                   XSEDE Software <help@xsede.org>

References