it would be great if catalyst could automatically sign the DIGEST files something like this: gpg --clearsign -o gentoo-13.iso.DIGESTS.asc gentoo-13.DIGESTS && mv gentoo-13.iso.DIGESTS.asc gentoo-13.iso.DIGESTS This feature could be off by default but since the gentoo releases are always signed and catalyst doesn't do that, it would be a great enhancement if it could do this.
it would be best to parse make.conf and read FEATURES="sign" and the potentially needed GPG_* variables from portage. I figure if you have FEATURES="sign" working for portage that should be enough to make all this work, and if you sign for portage you likely want to sign for catalyst as well.
(In reply to comment #0) > gpg --clearsign -o gentoo-13.iso.DIGESTS.asc gentoo-13.DIGESTS && mv > gentoo-13.iso.DIGESTS.asc gentoo-13.iso.DIGESTS I would suggest to put the signature in a separate file, so that DIGESTS can still be parsed by checksum verifiers like `md5sum -C DIGESTS`. For portage tree snapshots, we do use a command like this: gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output "$f".gpgsig "$f" (In reply to comment #1) > it would be best to parse make.conf and read FEATURES="sign" and the > potentially needed GPG_* variables from portage. I figure if you have > FEATURES="sign" working for portage that should be enough to make all this > work, and if you sign for portage you likely want to sign for catalyst as > well. To get the portage config, you could use some code like this: import portage if "sign" in portage.settings.get("FEATURES", "").split(): gpg_dir = portage.settings.get("PORTAGE_GPG_DIR") gpg_key = portage.settings.get("PORTAGE_GPG_KEY")
the original idea of overwriting the DIGESTS file may not be the best as it causes this ugly warning to appear when verifying DIGESTS: md5sum: WARNING: 26 lines are improperly formatted Perhaps to keep it named .asc or something else entirely but overwriting .DIGESTS appears to be a "bad idea"