repo-add: allow signing of the package database

In order to be fully secure, we can't only sign packages. We also need to sign our repository metadata to prevent database falsification, dependency injection, etc. Add an '-s/--sign' option that allows this functionality, and will generate a .sig file side-by-side with the package database. While at it, fix the issue where a signature file would never be found because of 'cd' madness (this needs fixing in another commit). Signed-off-by: Dan McGee <dan@archlinux.org>
author: Dan McGee <dan@archlinux.org> 2009-08-24 13:23:44 -0500
committer: Dan McGee <dan@archlinux.org> 2011-03-23 00:26:54 -0500
commit: a4120f2015ae4d5880642e16c81acadbab77555d (patch)
tree: 0fd937049a90694f082738af3b1ef297c76bc742 /doc/repo-add.8.txt
parent: 8fde399fe62c3a08310e1830bb15b6e93ed360f9 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt
index 75f49ef5..26009f67 100644
--- a/doc/repo-add.8.txt
+++ b/doc/repo-add.8.txt
@@ -43,6 +43,13 @@ Options
 	Force this program to keep quiet and run silent except for warning and
 	error messages.
 
+*-s, \--sign*::
+	Generate a PGP signature file using GnuPG. This will execute `gpg
+	--detach-sign --use-agent` on the generated database to generate a detached
+	signature file, using the GPG agent if it is available. The signature file
+	will be the entire filename of the database with a ``.sig'' extension.
+
+
 See Also
 --------
 linkman:makepkg[8], linkman:pacman[8]
author	Dan McGee <dan@archlinux.org>	2009-08-24 13:23:44 -0500
committer	Dan McGee <dan@archlinux.org>	2011-03-23 00:26:54 -0500
commit	a4120f2015ae4d5880642e16c81acadbab77555d (patch)
tree	0fd937049a90694f082738af3b1ef297c76bc742 /doc/repo-add.8.txt
parent	8fde399fe62c3a08310e1830bb15b6e93ed360f9 (diff)