[arch-general] Proper use of signify in PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Sun Jul 21 15:27:00 UTC 2019

On 7/21/19 9:19 AM, brent s. wrote:
> i can't speak for why it bothers Eli, but it bothers me because that's
> exactly what GPG detached sigs are already: signed hash checksums. The
> signify method is a signed hash checksum of a (list of) hash
> checksum(s). To me it feels like an unnecessary abstraction when one
> could just provide .sig files for each file and be more widely compatible.

The problem is a lot bigger, because "widely compatible" includes "being 
compatible with makepkg's official validation mechanism" and that 
unnecessary abstraction means it cannot, in fact, be used in makepkg 
after all.

Eli Schwartz
Bug Wrangler and Trusted User

More information about the arch-general mailing list