How to sign my own Arch Linux git packages for adding to a private repo?

I already have a GPG key configured. I have cloned the git source code package locally. I'm building in a chroot with extra-x86_64-build. I am able to build packages *without* signing and add them to the local private repo. Now I want to build the package, **sign it** and add it to my private local repo in a way that will require signature validation on the client when installed with pacman. **What are the steps?** Below are my current steps, which I assembled from many different Arch wiki pages, man pages, and other places. I include some detail to show what I'm doing and where I'm still having confusion or trouble. Note: I am able to complete all three of the first sections without any issues. My problems start after that. ### preliminary general steps (all completed): 1. read wiki pages (such as [https://wiki.archlinux.org/index.php/Creating\_packages](https://wiki.archlinux.org/index.php/Creating_packages)) 2. install base-devel, devtools, namcap, shellcheck 3. systemctl status haveged # make sure it is active ### preliminary package signing steps (all completed): * review /usr/share/devtools/pacman-extra.conf * I added my local private/custom repository here (with default SigLevel) * edit /etc/makepkg.conf: * BUILDENV=(!distcc color !ccache check sign) # make sure sign is active * PACKAGER="My Name " * GPGKEY="1234ABCD09876" # use your key full fingerprint uppercase, no whitespace * with an existing GPG key on my user's keyring do these steps: * gpg --armor --output mykey.sec --export-secret-keys 1234ABCD09876 * sudo pacman-key -a mykey.sec * sudo pacman-key --finger 1234ABCD09876 * sudo pacman-key --lsign-key 1234ABCD09876 ### prepare source files, PKGBUILD (completed): 1. git clone ${url} # or git pull if already cloned 2. inspect PKGBUILD 3. namcap -i PKGBUILD 4. makepkg --packagelist # inspect version number (optional) ## Questions: 1. FYI - I am starting with internal & trusted source files. They are not signed and there are no sums in the PKGBUILD I start with. 2. how do I modify the PKGBUILD for including sums of the built package and its .sig file? * at what step is the package's .sig file added to the PKGBUILD? How is that done? 3. when are the sums for the built package added to the PKGBUILD? * when do I run this step? makepkg -g >> PKGBUILD * when is this used instead? updpkgsums ### next, build the package in a chroot env (I can do this *only without* package signing) extra-x86\_64-build NOTE: I am running into this issue: makepkg: fail to sign source package with dynamic version [https://bbs.archlinux.org/viewtopic.php?id=259771](https://bbs.archlinux.org/viewtopic.php?id=259771) (I guess this will be solved with the next release of pacman? For now, I guess the work-around is to hard-code the version number instead of using VCS-derived versions?) ### how to add to private repo (I can do this without pkg signing, but I have not succeeded in creating a signed package to test with): * newpkg="mypackage.r10.918a28e-1-any.pkg.tar.zst" # example * namcap -i "$newpkg" * repoctl add --require-signature "$newpkg" ### repo questions: * is the --require-signature arg needed in the line above?