The latest (minimum) Linux packages aren't signed - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/issues/1
I can sign them with my repository key, but then verifications by checksums will be broken. So, I'd suggest sign them after build like MS did.
Is the recommendation that we sign the packages with a vscodium gpg key and then you include the same key in your repo?
Yeah. Repository metadata also should be sign with the same key.
@stripedpajamas you should generate the default key pair. Most tricky moment here - how to sign Gitlab repos with your key.
Alternative way - sign all packages with my repo keys. It breaks checksums verifications but packages can be compared via something like pkgdiff.
rng-tools should be very useful in generating GPG keys. You could probably generate your own with them
Most helpful comment
Yeah. Repository metadata also should be sign with the same key.