[arch-general] Proper use of signify in PKGBUILDs
Eli Schwartz
eschwartz at archlinux.org
Sun Jul 21 06:42:39 UTC 2019
On 7/21/19 2:19 AM, Stephen Gregoratto via arch-general wrote:
> I recently adopted the openbsd-manpages package[1], and wanted to verify
> downloaded files using OpenBSD's signify(1) tool. For each release of
> OpenBSD, you download the base public key[2], the architecture-specific
> files and the SHA256.sig[3] for those files.
> The files are verified by running:
>
> signify -Cp openbsd-65-base.pub -x SHA256.sig *.tgz
>
> The problem is that PKGBUILD thinks that the signify signature is a PGP
> signature, and tries to verify it against a non-existent file/PGP key.
> I've worked around this by renaming SHA256.sig to SHA256.
>
> Have any other packagers/maintainers experienced this problem,
> and if so are there any better solutions other than the one I mentioned?
>
> [1] https://aur.archlinux.org/packages/openbsd-manpages/
> [2] https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub
> [3] https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/SHA256.sig
The non-standard "signify" utility is not supported by makepkg, and
doesn't have a "solution" at all, really. It's never been an issue
before, because as far as I'm aware people don't actually use it in the
wild -- excepting, of course, OpenBSD itself, and you're attempting to
package something produced by OpenBSD, which I suppose explains why you
have such signature files to try verifying.
...
As a matter of curiosity, how does renaming the file from SHA256.sig to
SHA256 help you validate the contents using signify? Moreover, what good
do the checksums do you, when it's the files themselves that you want to
verify?
The latter problem is why I'm incredibly frustrated by projects that use
PGP, too -- when the only thing they sign is a file containing
checksums, and not the actual source file.
--
Eli Schwartz
Bug Wrangler and Trusted User
More information about the arch-general
mailing list