For general information about binary archives, see BinaryArchives.

 = Using Your Own Archives =
MacPorts verifies any archives it uses, making the signing of archives a requirement. This page will serve as a guide showing how to do this.

 = Create Keys =
The first step (also detailed in [browser:trunk/base/doc/pubkeys.conf.in ${prefix}/etc/macports/pubkeys.conf]) is to make keys to sign your archives.

To distribute archives of your own, you need a key pair generated like so:
{{{
cd ~/.ssh
openssl genrsa -des3 -out privkey.pem 2048
openssl rsa -in privkey.pem -pubout -out pubkey.pem
}}}

Be sure to add this key to your ssh keyring or you'll get asked for the password each time it's used. Another alternative is it save it as an unencrypted key, like so:
{{{
openssl rsa -in privkey.pem -out privkey.pem.bare
}}}

 = Sign Packages =
Then sign the archives like this:
{{{
openssl dgst -ripemd160 -sign privkey.pem -out archive.tbz2.rmd160 archive.tbz2
}}}

If you have lots of archives to sign, this can be done via a for loop in your shell. Here I use bash:
{{{
cd /archive/repository
for i in */*tbz2; do openssl dgst -ripemd160 -sign ~/.ssh/privkey.pem.bare -out $i.rmd160 $i; done
}}}
Note that this saves the signatures along side the archives, by simply using `.rmd160` as a suffix. This is what MacPorts expects.

 = Configure MacPorts =
Now we need to add your key to MacPorts and then add your repository:
 * add path to a copy of your public key in pubkeys.conf
 * add your archives to [browser:trunk/base/doc/archive_sites.conf archive_sites.conf]

I saved a copy of my public key as `${prefix}/etc/macports/snc.pub` for simplicity.

 = Try It =
Your archives are now signed and MacPorts should be configured to recognize your signature. Try it out!

 = Maintenance of Archive Repository =
Each day (really, every 30 minutes) new ports arrive and several are updated. Rather than rebuilding the whole tree you'll want to go after the ones with changes. This is easily achieved by the `find` command.
{{{
cd ${prefix}/var/macports/sources/rsync.macports.org/release/ports
sudo port selfupdate
find . -name Portfile -mtime -1d  | while read i
do
    sudo port archive `dirname ${i#*/*/}`
done
}}}

As you build archives, you'll eventually come across an instance where you're upgrading an older version. Keeping these outdated archives around might be less than ideal. We can wipe them out as we build the updates in the repository, checking the versions against what's current.
{{{
cd /archive/repository
sudo port selfupdate
for i in *
do
    port -q info --index --version `basename $i` | while read j
    do
        ls "$i" | grep -v "$j" | while read k
        do
            sudo rm -v "$i/$k"
        done
    done
done
}}}

This can also be accomplished using `rsync` between a build box and a web server. After syncing you'd run a `sign_archives` routine described above.
{{{
for i in ${prefix}/var/macports/software/*
do
    port -q info --index --version `basename $i` | while read j
    do
        rsync -az --delete --filter "P *$j*" "$i" /var/www/macports/
    done
done
sign_archives.sh
}}}