[ rough draft ]
Have a GPG key
Create your new key:
more... [ TBD: how strong should the key be? ]
Back it up:
gpg --export-secret-keys --armor <keyid> > my_key_backup.asc
In case you need to import the backup later:
gpg --import <backup_file>,
gpg --edit-key <keyid> and
trust it ultimately.
Export the public key:
gpg --export --armor <keyid> > my_pub_key.asc
If you're going to use the key for GPG/MIME or share your signed packages with other people, you probably need to publish your key:
gpg --send-key <keyid>
Import into pacman
This is needed because pacman has its own keystore and own rules for trusting keys. Either you get approved as a packager for the MSYS2 project, or you have to import your key manually.
To import and sign your key with
pacman-key --add <pubkeyfile>, or if it's published
pacman-key --recv-keys <keyid>
pacman-key --lsign-key <keyid>more...
To make your key a trusted developer key for signing official packages, you have to get your key included in the respective keyring and get it signed by at least 3 master keys. The package and repository is
msys2-keyring for MSYS2, see Alexpux/msys2-keyring. The package and repository for Arch Linux is
archlinux-keyring, see https://projects.archlinux.org/archlinux-keyring.git/. These packages install keyring files into
/usr/share/pacman/keyrings which then can be imported and locally signed in one batch using
pacman-key --populate <keyringname>.
Actually sign stuff
- Old packages:
gpg --detach-sign --no-armor <pkg>for each package (all such packages need to be re-
repo-added to make the database aware of the new signatures)
- New packages: just add
--signto makepkg command line or set the related
repo-add -s -v <db> <pkg>