From 62bb13893107fc5c499d6e94ec7549fcf996c9df Mon Sep 17 00:00:00 2001
From: Mark Hymers <mhy@debian.org>
Date: Sat, 30 Jul 2011 10:36:30 +0100
Subject: [PATCH] Add docs that the secret key only needs to be able to sign

Signed-off-by: Mark Hymers <mhy@debian.org>
---
 setup/README | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/README b/setup/README
index c193e9a3..9d5103c1 100644
--- a/setup/README
+++ b/setup/README
@@ -67,7 +67,9 @@ WARNING: Please check these templates over and customise as necessary
 # cp templates/* /srv/dak/templates/
 
 Set up a private signing key: don't set a passphrase as dak will not
-pass one through to gpg.  Guard this key carefully
+pass one through to gpg.  Guard this key carefully!
+The key only needs to be able to sign, it doesn't need to be able
+to encrypt.
 # gpg --no-default-keyring --secret-keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/secring.gpg --keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/pubring.gpg --gen-key
 Remember the signing key id for when creating the suite below.
 Here we'll pretend it is DDDDDDDD for convenience
-- 
2.39.2