[arch-general] Proper use of signify in PKGBUILDs

Stephen Gregoratto dev at sgregoratto.me
Sun Jul 21 06:19:08 UTC 2019

I recently adopted the openbsd-manpages package[1], and wanted to verify
downloaded files using OpenBSD's signify(1) tool. For each release of
OpenBSD, you download the base public key[2], the architecture-specific
files and the SHA256.sig[3] for those files.
The files are verified by running:
  signify -Cp openbsd-65-base.pub -x SHA256.sig *.tgz

The problem is that PKGBUILD thinks that the signify signature is a PGP
signature, and tries to verify it against a non-existent file/PGP key.
I've worked around this by renaming SHA256.sig to SHA256.

Have any other packagers/maintainers experienced this problem,
and if so are there any better solutions other than the one I mentioned?

[1] https://aur.archlinux.org/packages/openbsd-manpages/
[2] https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub
[3] https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/SHA256.sig
Stephen Gregoratto

More information about the arch-general mailing list