manPiGV - Cookbook: recipe #117, Signing files to allow users to...

Show feedback again

recipe #117, Source Code Managers: Signing files to allow users to check their authencity

Users can only check authenticity of files if these files are signed by their(s) author(s). So it is important that developers sign their package, especially software release tarballs.

Obviously, you need our own gpg key to sign files. We will not describe here how to create a such key: please read the GnuPG documentation.

The best is to create a "detached" signature (a signature as separate file, not appended to the original file). You can do that by typing:

When it is done, you can upload both the file and the signature (ending with .sig).

You should make sure that your public key is available through Savane, by registering it at

You you could also propagate it to key servers with the following command:

If automated verification fails, you will receive a mail and suspicious files will be moved out in subdirectories called /maybe-corrupted. So you'll be aware if someone who is not member of your project alter your files.

Last update: Tue Oct 31 17:14:10 2006
This recipe comes from Gna! User Docs






Audience and Context

   All Project Members
   Download Area

(As there is at least one of the Audience/Feature/Action context information not set, this recipe will not show up in related recipes links)

Show feedback again

Back to the top

Powered by Savane 3.1-cleanup