Skip to content

Add (PGP) signature verification for packages

Add a generic middleware to verify package signatures with. One derived version needs to implement this using the archlinux-keyring based distribution keyring.

Signature verification should enforce that

  • a package has a valid signature of a packager in the distribution keyring
  • a signature is done using a key that has sufficient trust (a minimum of three signatures by valid main signing keys)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information