What you describe sounds non-trivial; if we consider non-trivial, I'd like to propose something slightly different:
* sign hwpacks on snapshots.linaro.org/releases.linaro.org with some new key(s)
* ship these keys in linaro-image-tools and use them to verify hwpacks
* bundle keys of referenced repositories within hwpacks
The advantages are that we don't bundle anything specific to our hwpacks' contents in linaro-image-tools, and we also get hwpack signatures; this also allows people to list their own PPAs + signatures in their custom hwpacks. The disadvantage is some more work on the server side (keeping the signing keys).
What you describe sounds non-trivial; if we consider non-trivial, I'd like to propose something slightly different: linaro. org/releases. linaro. org with some new key(s)
* sign hwpacks on snapshots.
* ship these keys in linaro-image-tools and use them to verify hwpacks
* bundle keys of referenced repositories within hwpacks
The advantages are that we don't bundle anything specific to our hwpacks' contents in linaro-image-tools, and we also get hwpack signatures; this also allows people to list their own PPAs + signatures in their custom hwpacks. The disadvantage is some more work on the server side (keeping the signing keys).