Am 13.05.19 um 13:53 schrieb Justin Capella via arch-general: ...
I recognize base64 but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0= in the sig file associated with liblzf... But it's useless to me without the extraneous tool I'm not installing. Seeing as git signs with gpg I think it's fair to say that's the norm.
... The tool he uses is called signify, which is the "OpenBSD tool to signs and verify signatures on files" It is packaged in community. I have no opinion on the use of such signatures in a Linux environment. He has also linked to the signature and the verification process (see quote below). Theoretically it would be possible to verify the signatures in a prepare() function, but it does feel a bit more complicated than directly using a gpg signature. Signify is the result of a desire to have a signature tool that can be audited easily, OpenBSD claims gpg implementations are too complicated for that. [*] -- ProgAndy [*] https://www.openbsd.org/papers/bsdcan-signify.html
On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general < arch-general@archlinux.org> wrote:
A few of my packages are distributed on http://dist.schmorp.de/, backed up by signify signaturs, in turn backed up by gpg(1), and other means.
...