[arch-general] Proper use of signify in PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Sun Jul 21 06:42:39 UTC 2019

On 7/21/19 2:19 AM, Stephen Gregoratto via arch-general wrote:
> I recently adopted the openbsd-manpages package[1], and wanted to verify
> downloaded files using OpenBSD's signify(1) tool. For each release of
> OpenBSD, you download the base public key[2], the architecture-specific
> files and the SHA256.sig[3] for those files.
> The files are verified by running:
>    signify -Cp openbsd-65-base.pub -x SHA256.sig *.tgz
> The problem is that PKGBUILD thinks that the signify signature is a PGP
> signature, and tries to verify it against a non-existent file/PGP key.
> I've worked around this by renaming SHA256.sig to SHA256.
> Have any other packagers/maintainers experienced this problem,
> and if so are there any better solutions other than the one I mentioned?
> [1] https://aur.archlinux.org/packages/openbsd-manpages/
> [2] https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub
> [3] https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/SHA256.sig

The non-standard "signify" utility is not supported by makepkg, and 
doesn't have a "solution" at all, really. It's never been an issue 
before, because as far as I'm aware people don't actually use it in the 
wild -- excepting, of course, OpenBSD itself, and you're attempting to 
package something produced by OpenBSD, which I suppose explains why you 
have such signature files to try verifying.


As a matter of curiosity, how does renaming the file from SHA256.sig to 
SHA256 help you validate the contents using signify? Moreover, what good 
do the checksums do you, when it's the files themselves that you want to 

The latter problem is why I'm incredibly frustrated by projects that use 
PGP, too -- when the only thing they sign is a file containing 
checksums, and not the actual source file.

Eli Schwartz
Bug Wrangler and Trusted User

More information about the arch-general mailing list