how does signing work? do we have tools to sign an entire harvest of packages in one go?

signing is done using pkg_admin from the pkgtools/pkg_install package; pkg_admin gpg-sign-package <src> <dest>

signed packages are ar archives:


The tools want to sign each package as it is built. Joyent uses gpg-agent for that, so no bulk-signing toos yet, however signing packages later is not hard, so to batch sign,

for i in $unsigned; do
  mv $i ${i%.tgz}.tmp.tgz
  pkg_admin gpg-sign-package ${i%.tgz}.tmp.tgz signedpkgs/$i

This still wants the passphrase for every single package, so flank with gpg-agent. Does gpg-agent have an issue with chroots? It wouldn't work in the build chroot but may simply have issues due to both gnupg and gnupg2 being installed.

pkg_install from pkgsrc currently has some issues when encountering a signed package with pkg_add: you can't install it unless you have the means to verify it first, even if you expressly do not want to verify it. Base pkg_add complains but installs.