On 2019-07-21 02:42, Eli Schwartz via arch-general wrote:
How does renaming the file from SHA256.sig to SHA256 help you validate the contents using signify?
I rename it in the source array: "SHA256::${_mirrorurl}/${pkgver}/amd64/SHA256.sig" That way makepkg doesn't think it's a PGP signature. Note that the SHA256.sig file has the checksums embedded in the file, as the signature/additional comments are at the top and take up at most two lines.
Moreover, what good do the checksums do you, when it's the files themselves that you want to verify?
Signify verifies the signature and then verifies the checksums of each file. While I could just use the sha256sums array, I prefer using signify as that is how the OpenBSD project distributes their files securely. Since these files can also be downloaded in the clear (FTP), verifying them becomes an absolute must.
The latter problem is why I'm incredibly frustrated by projects that use PGP, too -- when the only thing they sign is a file containing checksums, and not the actual source file.
I'm not sure what the problem is here, isn't validating the signature and checksums not good enough? -- Stephen Gregoratto