In CircleCI we build the DEB and RPM packages with makedeb.js and makerpm.js. The signing for DEB and RPM is slightly different. Here some thoughts from my investigations:
The packages are already built and can be signed with the GPG key
We can verify if the signing was successful with
With RPM we have two options, during RPM build or we can add a signature to an existing RPM. If we use the way to add a the signature to an existing RPM, we can create a build-job after the RPMs and DEBs are created. We are free to set a filter to sign always or just for specific branches in the CircleCI config.
We can check the signing:
- We have control to build signed and usigned RPM and DEB packages
- It is possible to run makedeb.js. and makerpm.js locally without the need to have a GPG key to sign packages for local builds