I have it about done. Just cleaning up the output on installation. I had to make sure that the gpg import ran as ${user} instead of root so that when eclcc runs as ${user} we have access to the public key.

The ability to sign modules is turned on using the cmake -DSIGN_MODULES=ON flag. With SIGN_MODULES=OFF (default) the behavior remains as it was before this PR. It is assumed that a user has a private/public key pair on the build system when using SIGN_MODULES. The current implementation uses the default private/public key in the users keychain, and packages their public key with the platform. The public key is installed under the username that gets created at installation for running our binaries (default: hpcc). This is so that the pipe->run() for the gpg --verify will pick up the correct public key.

I'm a little lost on how to properly test this. I don't really write ecl myself. I know that the files get signed correctly, and that a gpg --verify on them as the installed user works. Idea's on who I should @ to review?

Yes, pretty much. I think we just need to run gpg --clearsign on all the files in the std library, and add the public key that we sign with into the installation (so that eclcc can locate it).

I have a view of my branch up at https://github.com/hpcc-systems/HPCC-Platform/compare/candidate-6.0.0...Michael-Gardner:HPCC-14931

It looks like flex is looking for the type of pattern that comes from using a gpg --clearsign, and then running a check on the signature against what its loaded on the server? I set up a macro so we can easily sign all the files within the ecllibrary/std. Am I understanding the problem correctly?