On 7/21/19 2:19 AM, Stephen Gregoratto via arch-general wrote:
I recently adopted the openbsd-manpages package[1], and wanted to verify downloaded files using OpenBSD's signify(1) tool. For each release of OpenBSD, you download the base public key[2], the architecture-specific files and the SHA256.sig[3] for those files. The files are verified by running:
signify -Cp openbsd-65-base.pub -x SHA256.sig *.tgz
The problem is that PKGBUILD thinks that the signify signature is a PGP signature, and tries to verify it against a non-existent file/PGP key. I've worked around this by renaming SHA256.sig to SHA256.
Have any other packagers/maintainers experienced this problem, and if so are there any better solutions other than the one I mentioned?
[1] https://aur.archlinux.org/packages/openbsd-manpages/ [2] https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub [3] https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/SHA256.sig
The non-standard "signify" utility is not supported by makepkg, and doesn't have a "solution" at all, really. It's never been an issue before, because as far as I'm aware people don't actually use it in the wild -- excepting, of course, OpenBSD itself, and you're attempting to package something produced by OpenBSD, which I suppose explains why you have such signature files to try verifying. ... As a matter of curiosity, how does renaming the file from SHA256.sig to SHA256 help you validate the contents using signify? Moreover, what good do the checksums do you, when it's the files themselves that you want to verify? The latter problem is why I'm incredibly frustrated by projects that use PGP, too -- when the only thing they sign is a file containing checksums, and not the actual source file. -- Eli Schwartz Bug Wrangler and Trusted User