I hope you have an public an private key already. If not there a lot of manuals out there who explain that very well.
I would like to use gpg version 2 which supports gpg agent.
pkgin in gnupg2
Enable SIGN_PACKAGES in /opt/local/etc/mk.conf:
SIGN_PACKAGES= gpg
And then configure /opt/local/etc/pkg_install.conf with:
GPG=/opt/local/bin/gpg2
GPG_SIGN_AS=your_pgp_key_id
Well the user who build the packages need to know about the private public key pair to sign the packages.
[root@build-pkgsrc-tm-2014q4 ~]# ls -la pkgsrc/
-rw-r--r-- 1 root root 3086 Mar 26 15:32 pkgsrc_pkg_sig.pub
-r-------- 1 root root 6687 Mar 26 15:32 pkgsrc_pkg_sig.sec
# Verify you import the correct key!
gpg --import pkgsrc/*
Add the following lines to to your ~/.bashrc:
envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export GPG_TTY=$(tty) # if it don't find the tty we're the tty (required by zlogin)
Modify your ~/.gnupg/gpg.conf file to support the agent:
use-agent
Well we would like to sign stuff automatically during a longer build process, so we increase the timeout for the agent also. This will be done in ~/.gnupg/gpg-agent.conf:
default-cache-ttl 43200 # seconds
pinentry-program /opt/local/bin/pinentry
On SmartOS the pkgsrc keyring is stored in /opt/local/etc/gnupg/pkgsrc.gpg. You should check your /opt/local/etc/pkg_install.conf file about the correct path.
To verify your new packages with your key it is required to add your public key to the keyring on all the machines. This could be done by the following GPG command:
gpg --primary-keyring /opt/local/etc/gnupg/pkgsrc.gpg --import pkgsrc/pkgsrc_pkg_sig.pub