Packagecloud logo

Announcing Package Signing GPG Key Support


You can now upload package signing GPG keys to! Adding package signing keys will cause them to be automatically installed and prepared for use by users of your repositories. Your users will benefit from this feature because the package management system will now verify GPG signatures on the packages themselves using keys that you specify.

Read more about this new feature in our GPG key documentation.

How to upload your package signing GPG key

There’s two ways you can use upload package signing GPG keys: you can use the website or the package_cloud command line client.

Package signing keys are added per-repository and repositories are limited to a maximum of 5 GPG keys each.

Note that this feature persists GPG public keys on our servers, which we distribute as needed as users install your repository. We do not store GPG private keys, at all, ever. If you accidentally upload a GPG private key, we will only store the GPG public key portion and delete the private key.


Using the website

You can upload package signing GPG keys via the packagecloud website by clicking on the “GPG” tab on the repository page.

In the GPG key section, click the “Package signing key” tab to see a list of package signing keys, delete keys, or upload new keys.

When you click “Add package signing key” a window will appear and you can copy and paste your ascii armored GPG key:

webbased gpg upload

Simply click “Create” to create the GPG key.


Using the command line client

You can upload package signing GPG keys via the package_cloud command line client. Ensure you have the latest version of the client (at least 0.2.43 or newer).

Next, simply issue the following command to upload a new key:

% package_cloud gpg_key create username/reponame /path/to/gpgkey

This will upload the GPG key to packagecloud and it will be automatically installed by any repositories users in the future.

command line based gpg upload

You can delete and list GPG keys from the command line, as well, by using the commands destroy and list, respectively.


Uploading package signing GPG keys (via the website or comamnd line) to repositories on packagecloud makes it easy for users of your repositories to automatically download, install, and use your package signing keys.

Be sure to read through our GPG documentation, and check out our GPG key API if you’d like to create, list, or delete keys programmatically.

You might also like other posts...