[arch-general] Proper use of signify in PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Sun Jul 21 15:27:00 UTC 2019


On 7/21/19 9:19 AM, brent s. wrote:
> i can't speak for why it bothers Eli, but it bothers me because that's
> exactly what GPG detached sigs are already: signed hash checksums. The
> signify method is a signed hash checksum of a (list of) hash
> checksum(s). To me it feels like an unnecessary abstraction when one
> could just provide .sig files for each file and be more widely compatible.

The problem is a lot bigger, because "widely compatible" includes "being 
compatible with makepkg's official validation mechanism" and that 
unnecessary abstraction means it cannot, in fact, be used in makepkg 
after all.

-- 
Eli Schwartz
Bug Wrangler and Trusted User


More information about the arch-general mailing list