Depending on what your circumstances are, packaging them as an RPM package may have merits.
Quoting myself (source):
[β¦] copying files from less-trusted to more-trusted qubes should be avoided. Because dom0 is the most trusted qube and the most critical qube, copying files to dom0 from a work qube on a regular basis doesnβt seem reasonable to me (your circumstances may be different!)
There are, however, mechanisms by which dom0 can be updated. In particular, the dom0 secure updates mechanism provides better security than copying files between qubes. In order to take advantage of the secure updates mechanism, we need to package our [files] as RPM packages, and use the security features of the RPM workflow to allow dom0 to verify them. This guide explains how to do that.
My personal approach is to make it easier for folks to package themselves the files I provide, so they only have to trust themselves, but you could as well distribute RPM packages if thatβs your preference.
That writing and code originated from the following topic on this forum (centered on copying Salt files, but applies to any kind of file):