[Tbox-talk] GPG signatures

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

How about adding full support for GPG signed packages? Every package and
recipe file would be GPG signed by it's maintainer and by default
nothing would be installed if the signature didn't match an existing
known key.

Preferrably also support GPG signatures for original source packages if
they're found, like:

S ftp://foo/bar.tar.gz ftp://foo/bar.tar.gz.asc

The signature in .asc file would then be verified to be signed with a
key which is signed by the upm maintainer.

Other than that I like most of the design and ideas.