checking in while i do some research

extra/dist.build.ini

@@ -178,10 +178,11 @@ mirrorchksum = ${mirrorpath}sha1sums.txt
 ; If you specify just '.sig' (or use the default
 ; and don't actually specify a mirrorfile),
 ; we'll try to guess based on the file from the sha1
-; checksums.
+; checksums. Note that this must evaluate to a full
+; URL (e.g.:
+;	${mirrorproto}://${mirror}${mirrorpath}somefile.sig)
 ; 0.) No whitespace (if specified)
 ; 1.) Must be the full path
-; 2.) Don't include the mirror domain or protocol
 mirrorgpgsig = ${mirrorfile}.sig
 
 ; What is a valid key ID that should be used to
@@ -296,8 +297,9 @@ i_am_a_racecar = yes
 ; What is a valid key ID that we should use to
 ; *sign* our release files?
 ; 0.) You will be prompted for a passphrase if your
-;     key has one/you don't have an open gpg-agent
-;     session.
+;     key has one/you don't have an open and authorized
+;     gpg-agent session. Make sure you have a working
+;     pinentry configuration set up!
 ; 1.) If you leave this blank we will use the key
 ;     we generate automatically earlier in the build
 ;     process.

extra/templates/GPG.j2

@@ -0,0 +1,14 @@
+{# For more options, see https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
+#}<GnupgKeyParms format="internal">
+    Key-Type: RSA
+    Key-Length: 4096
+    Subkey-Type: RSA
+    Subkey-Length: 4096
+    Name-Real: {{ bdisk['dev'] }}
+    Name-Email: {{ bdisk['email'] }}
+    Name-Comment: via {{ bdisk['pname'] }} [autogenerated] | {{ bdisk['uri'] }} | {{ bdisk['desc'] }}
+    Expire-Date: 0
+    %no-ask-passphrase
+    %no-protection
+    %commit
+</GnupgKeyParms>