[arch-general] Proper use of signify in PKGBUILDs

brent s. bts at square-r00t.net
Sun Jul 21 13:19:16 UTC 2019

On 7/21/19 4:40 AM, Ralf Mardorf via arch-general wrote:
> On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote:
>> The latter problem is why I'm incredibly frustrated by projects that
>> use PGP, too -- when the only thing they sign is a file containing 
>> checksums, and not the actual source file.
> But it doesn't matter, since when the checksum is signed, it's more or
> less the same as signing the source file/s, that's why almost all simply
> sign a file containing one or more checksums. Why should this be
> frustrating? If we are able to ensure that a checksum isn't faked,
> IOW if can trust the checksum, than we are safe that a source file
> passing a check against the proven checksum is correct, too.

i can't speak for why it bothers Eli, but it bothers me because that's
exactly what GPG detached sigs are already: signed hash checksums. The
signify method is a signed hash checksum of a (list of) hash
checksum(s). To me it feels like an unnecessary abstraction when one
could just provide .sig files for each file and be more widely compatible.

brent saner
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190721/41c7e3ed/attachment.sig>

More information about the arch-general mailing list