DeveloperWiki:パッケージの署名のソースを表示

[[Category:DeveloperWiki]]__NOTOC__

==Choose a UID==
* Use a valid e-mail address: no obfuscation.
* The e-mail address should be reliable (do not use one you got from your ISP or a random free service).
* When in doubt, you should prefer using your <code>@archlinux.org</code> address.
* The UID also has to be the same as the <code>PACKAGER</code> variable you use to build packages.
* A correct UID looks like this: <code>Pierre Schmitz <pierre@archlinux.de></code>
* We strongly advise you use your real name. It has to be exactly that found on official documents (passport, driver's license, etc.); see [http://wiki.cacert.org/PracticeOnNames CAcert's practice on names].

==Create a key pair==
# Install <code>gnupg</code>.
# Run: <code>gpg --gen-key</code>
## You may use the default: a never expiring 2048-bit RSA key for encryption and signing.
# Create a revocation certificate, for use when/if your private key ever gets compromised:
## Run: <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code>
## Make sure to store this file in a secure location (and/or encrypt it with a passphrase); then delete the plaintext version.
# Backup your private key: <code>gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc</code>

==Recommended: Get your key signed by CAcert==
# [https://www.cacert.org/index.php?id=1 Create an account on CAcert.]
# Meet CAcert assurers and have them verify your official identification documents; see [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy].
# You will then be able to access a new part of the CAcert website and get your key signed:
## Export your public key: <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
## Paste the content of that file into the form on the [https://www.cacert.org CAcert website].
## Save the signed key from the CAcert website and import it: <code>gpg --import <filename></code>

==Recommended: Get your key signed by other devs==
# When ever you meet with another dev, sign each others' keys.
# Take this seriously: never sign a key when you cannot verify the other person's identity.
# See [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy] for good guidelines.

==Publish your public key==
# Send your public key to a keyserver:
## Check your key id with: <code>gpg -k</code>
## Run: <code>gpg --send-keys KEY-ID</code>
# Add your key fingerprint to your profile at https://www.archlinux.org/devel/profile/

==Be safe!==
# Create a backup of your keys and be sure not to forget the passphrase!