When building packages for a repository that's published on a web site, certain additional information needs to be added to packages. First, grab the file produced by --export --armor. If this file is not available it can be obtained from the repository:

wget http://www.example.com/repository/pgpkeys.txt
mv pgpkeys.txt pgpkeys.tmp
gpg -o pgpkeys.txt pgpkeys.tmp

The downloaded pgpkeys.txt file is signed. The signature must be stripped from the file by running the gpg command. Preferrably, the GPG keyring will already have the signing key, and the signature will verify. If not, gpg will still strip the file, but complain.

Before proceeding verify that the file contains ASCII-armored keyring, the file's contents should be:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: something

... base64-encoded data ...


 -----END PGP PUBLIC KEY BLOCK-----

Add the following information to the build header section of the package's specfile:

Source9: pgpkeys.txt
Repository(pgpkeys.txt): http://www.example.com/repository

Also, add the following to the package's “%begin install” section:

cp %SOURCE9 .

Any “source” label can be used, not just source9. What needs to happen is that the repository's gpgkeys.txt must be present in the default work directory when the build script finishes. It's even better to include gpgkeys.txt in the source tarball itself, instead of manually adding it with a “Source:” header and have the build script copy it into the work directory.

Build LPMtool packages like this:

lpbuild --repository /var/www/html/repository application.lpspec

The --repository option conveniently creates the packages, prompts for the default GPG's passphrase, build the packages, signs them, and place them into the repository.

The --repository is not really required, but is very convenient. Package files can be added to the primary repository directly manually provided that: