## pkgsig

- gpg for now
- master packages-signing signing key, which signs keys that are good for one arch/os-version/quarterly
- agc wants the signing to be done under human control; change the rsync task to send mail to the pbulk admin. Wait until the bulk signing is done and use a lock file to indicate it's time to sync? Or just start the rsync manually in a script that also does the signing?
- how does signing work? do we have tools to sign an entire harvest of packages in one go?