[arch-general] Proper use of signify in PKGBUILDs

Stephen Gregoratto dev at sgregoratto.me
Sun Jul 21 08:11:12 UTC 2019


On 2019-07-21 02:42, Eli Schwartz via arch-general wrote:
> How does renaming the file from SHA256.sig to SHA256 help you validate
> the contents using signify?

I rename it in the source array:

  "SHA256::${_mirrorurl}/${pkgver}/amd64/SHA256.sig"

That way makepkg doesn't think it's a PGP signature. Note that the
SHA256.sig file has the checksums embedded in the file, as the
signature/additional comments are at the top and take up at most two
lines.

> Moreover, what good do the checksums do you, when it's the files
> themselves that you want to verify?

Signify verifies the signature and then verifies the checksums of each
file. While I could just use the sha256sums array, I prefer using
signify as that is how the OpenBSD project distributes their files
securely. Since these files can also be downloaded in the clear (FTP),
verifying them becomes an absolute must.
 
> The latter problem is why I'm incredibly frustrated by projects that use
> PGP, too -- when the only thing they sign is a file containing checksums,
> and not the actual source file.

I'm not sure what the problem is here, isn't validating the signature
and checksums not good enough?
-- 
Stephen Gregoratto


More information about the arch-general mailing list