2022-07-15 12:40 UTC
  • Xyne


Description: Easily create signed Pacman package repositories.
Latest Version: 2021.11.12
Source Code: src/
  • any
Arch Repositories:
  • [xyne-any]
  • [xyne-i686]
  • [xyne-x86_64]
AUR Page: repo-add_and_sign
Arch Forum Thread: 145763


repo-add_and_sign is a Python 3 script that wraps gpg, repo-add and repo-remove to batch-sign packages and generate signed repositories. The script will only prompt for a passphrase once and will not leave any keyring agents running. See the FAQ below.


Why not sign with makepkg and repo-add?

To use those options you either need to enter a passphrase for each file, which is very tedious, or you need to run a keyring agent in the background. Unless you are constantly signing things, the agent is unnecessary most of the time. It is also a security risk because anyone who can get access to your system would be able to use your key while the agent is running.

How do I generate a key?

Short answer: gpg --gen-key

Long answer: GPGMiniHowto.

If you had to ask, I suggest at least skimming the documentation.

Help Message

$ repo-add_and_sign --help

usage: repo-add_and_sign [-h] [-r <name>] [-e <extension>] [-a <architecture>]
                         [-o <path>] [--no-sign] [-c] [-p] [-v] [-u <GPG UID>]
                         [--passphrase <GPG passphrase>] [--no-verify]
                         <pkg path> [<pkg path> ...]

Generate a signed repo for some packages.

  -h, --help            show this help message and exit

Repo Options:
  <pkg path>            The packages to include in the repo. Use the "--arch"
                        option if you need to filter the input paths.
  -r <name>, --repo <name>
                        The name of the repo to create.
  -e <extension>, --archive-ext <extension>
                        The database archive extension. Default: ".tar.xz"
  -a <architecture>, --arch <architecture>
                        Filter the input files by architecture compatibility,
                        e.g. "--arch x86_64" will only include "x86_64" and
                        "any" packages. This is useful when generating a repo
                        from a pool of packages.
  -o <path>, --out <path>
                        The output directory in which to create the repo.
                        Defaults to the current directory.
  --no-sign             Do not sign packages and databases.
  -c, --copy            Copy extradirectorial packages instead of symlinking
  -p, --purge           Purge older versions of packages and databases.
  -v, --verbose         Increase logging verbosity: once for INFO, twice for

GPG Options:
  -u <GPG UID>, --uid <GPG UID>
                        The user ID of the signing key. This option accepts
                        anything that can be passed to gpg's "-u" option.
  --passphrase <GPG passphrase>
                        Optionally provide the passphrase of the signing key.
                        Warning: this option will expose your passphrase to
                        all users with access to your process list.
  --no-verify           Skip GPG verfication of existing signatures. Only
                        check timestamps. This is faster but it will not
                        detect existing invalid signatures.


GPG Signing

For signing you will need to add allow-loopback-pinentry to ~/.gnupg/gpg-agent.conf.



  • Fixed bug that reset password passed to main function.


Refactored code:

  • Refactored most code for modularity.
  • Conform to PEP 8 style.
  • Use proper logging with colored output if colorsysplus is installed.
  • Use checksums and PGP signatures in database to check which files need to be added.


  • added --copy option as suggested by mortbauer from the Arch Linux forums


  • improved checking of signature modification times to ensure consistency


  • added --verbose option
  • delete matching signatures when purging old packages
echo | sed 's/\./@/'
XHTML 1.0 Strict CSS level 3 Atom 1.0