Here are itemized guidelines for GNU packages:
file_permissions -o 0 -g 0directive in the PSF is the easiest way to do this.
Here is an example PSF.
# PSF.in -- Example 'swign' Input file for GNU packages. # Occurrences of %__tag and %__revision will be replaced # by values determined from the name of the current directory # that has the form: tag-revision distribution # dfiles dfiles # dfiles is the default AUTHORS <./AUTHORS # optional COPYING <./COPYING # optional checkdigest <./var/checkdigest.sh # or wherever it is on your system tag %__tag-%__revision # Optional, this will set '--dir' option of # of swpackage. vendor the_term_vendor_is_misleading True tag GNU title GNU's Not Unix description "The GNU Project was launched in 1984 to develop a complete UNIX-like operating system which is free software: free as in freedom, not price. See http://www.gnu.org." product title GNU %__tag vendor_tag GNU description Source package for %__tag # More can be added tag %__tag # This is the package name revision %__revision # This is the package version control_directory "" fileset tag source control_directory "" file_permissions -o 0 -g 0 directory . file * # exclude RCS # Not supported yet by swign # exclude CVS # Not supported yet by swign exclude catalog # required
Here is how to use the PSF to create a package with an embedded GPG signature.
cd somepackage-1.0 swign -s PSF.in -u "Your GPG name" @- | gzip -9 >../somepackage-1.0.tar.gz # Then do a couple quick tests swverify -d @- <../somepackage-1.0.tar.gz # If a checkdigest script was included and the file system is Ext2 # compatible then the following should work, try it swverify -d @. # For some newer file system you must use the --order-catalog option swverify --order-catalog -d @.
To make a nearly identical package using swpackage
# First, the replacement macros must be processed by swign swign -s PSF.in --show-psf | swpackage -s - --gpg-name="Your GPG name" \ --dir-owner=0 --dir-group=0 --files --sign @- | gzip -9 >../somepackage-1.0.tar.gz
There are differences between swign and swpackage. swign uses swpackage but uses tar to write the final archive hence it is more fail safe against bugs. swign modifies the ./catalog/ making . immediately verifiable with swverify and is simpler to use.
That's it. You now have a tar archive with one or more embedded signatures, that is created using tar, is verifiable with existing tools, compatible with current practice, and conforms to the POSIX packaging standard.