Guidelines for GNU Source Packages - Creating and Verifying Tar Archives with Embedded GPG Signatures

Next: Using Automake and Swbis, Previous: Adding New Signatures, Up: Top

6 Guidelines for GNU Source Packages

Here are itemized guidelines for GNU packages:

Use GNU tar version 1.15.x, GNU swbis version 0.483 or later versions.
Use the default swign format option --format=ustar. This corresponds to tar option --format=ustar.
Do not include symbolic or hard links in the distribution, make them when configuring if needed.
Try not to make file names longer than 99 bytes because this will make verification of the unpacked directory form a little problematic until some bugs in swbis and tar are fully converged.
Set the file ownerships in the package to numeric root/root. Using the file_permissions -o 0 -g 0 directive in the PSF is the easiest way to do this.
Do include a checkdigest script. The file ./bin/checkdigest.sh from the swbis distribution should work for any package.

Here is an example PSF.

     # PSF.in  -- Example 'swign' Input file for GNU packages.
     # Occurrences of %__tag and %__revision will be replaced
     # by values determined from the name of the current directory
     # that has the form:  tag-revision
     distribution
       # dfiles dfiles            # dfiles is the default
       AUTHORS <./AUTHORS         # optional
       COPYING <./COPYING         # optional
       checkdigest <./var/checkdigest.sh  # or wherever it is on your system
       tag %__tag-%__revision   # Optional, this will set '--dir' option of
                                  # of swpackage.
     vendor
        the_term_vendor_is_misleading True
        tag GNU
        title GNU's Not Unix
     description "The GNU Project was launched in 1984 to develop a complete UNIX-like
     operating system which is free software: free as in freedom, not price.
     See http://www.gnu.org."
     
     product
       title GNU %__tag
       vendor_tag GNU
       description Source package for %__tag  # More can be added
       tag %__tag                 # This is the package name
       revision %__revision       # This is the package version
       control_directory ""
       fileset
          tag source
          control_directory ""
          file_permissions -o 0  -g 0
          directory .
          file *
          # exclude RCS   # Not supported yet by swign
          # exclude CVS   # Not supported yet by swign
          exclude catalog  # required

Here is how to use the PSF to create a package with an embedded GPG signature.

     cd somepackage-1.0
     swign -s PSF.in  -u "Your GPG name" @- | gzip -9 >../somepackage-1.0.tar.gz
     # Then do a couple quick tests
     swverify -d @- <../somepackage-1.0.tar.gz
     
     # If a checkdigest script was included and the file system is Ext2
     # compatible then the following should work, try it
     swverify -d @.
     
     # For some newer file system you must use the --order-catalog option
     swverify --order-catalog -d @.

To make a nearly identical package using swpackage

     # First, the replacement macros must be processed by swign
     swign -s PSF.in --show-psf |
     swpackage -s - --gpg-name="Your GPG name" \
     --dir-owner=0 --dir-group=0 --files --sign @- |
     gzip -9 >../somepackage-1.0.tar.gz

There are differences between swign and swpackage. swign uses swpackage but uses tar to write the final archive hence it is more fail safe against bugs. swign modifies the ./catalog/ making . immediately verifiable with swverify and is simpler to use.

That's it. You now have a tar archive with one or more embedded signatures, that is created using tar, is verifiable with existing tools, compatible with current practice, and conforms to the POSIX packaging standard.