You can now upload package signing GPG keys to packagecloud.io! Adding package signing keys will cause them to be automatically installed and prepared for use by users of your repositories. Your users will benefit from this feature because the package management system will now verify GPG signatures on the packages themselves using keys that you specify.
Read more about this new feature in our GPG key documentation.
How to upload your package signing GPG key
There’s two ways you can use upload package signing GPG keys: you can use the website or the package_cloud command line client.
Package signing keys are added per-repository and repositories are limited to a maximum of 5 GPG keys each.
Note that this feature persists GPG public keys on our servers, which we distribute as needed as users install your repository. We do not store GPG private keys, at all, ever. If you accidentally upload a GPG private key, we will only store the GPG public key portion and delete the private key.
Using the website
You can upload package signing GPG keys via the packagecloud website by clicking on the “GPG” tab on the repository page.
In the GPG key section, click the “Package signing key” tab to see a list of package signing keys, delete keys, or upload new keys.
When you click “Add package signing key” a window will appear and you can copy and paste your ascii armored GPG key:
Simply click “Create” to create the GPG key.
Using the command line client
You can upload package signing GPG keys via the package_cloud command line client. Ensure you have the latest version of the client (at least 0.2.43 or newer).
Next, simply issue the following command to upload a new key:
% package_cloud gpg_key create username/reponame /path/to/gpgkey
This will upload the GPG key to packagecloud and it will be automatically installed by any repositories users in the future.
You can delete and list GPG keys from the command line, as well, by using the commands
Uploading package signing GPG keys (via the website or comamnd line) to repositories on packagecloud makes it easy for users of your repositories to automatically download, install, and use your package signing keys.
If you enjoyed this post, you may enjoy some of our other related posts: