[arch-general] Proper use of signify in PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Sun Jul 21 15:32:16 UTC 2019

On 7/21/19 4:11 AM, Stephen Gregoratto wrote:
> On 2019-07-21 02:42, Eli Schwartz via arch-general wrote:
>> How does renaming the file from SHA256.sig to SHA256 help you validate
>> the contents using signify?
> I rename it in the source array:
>    "SHA256::${_mirrorurl}/${pkgver}/amd64/SHA256.sig"

I asked you "how is simply downloading the signify file as a makepkg 
source useful, when makepkg won't use the signify file to 
programmatically verify the downloaded openbsd-manpages source tarball".

You responded to the question: "Do you or do you not download this file, 
and how do you prevent GnuPG from trying to erroneously read it".
(Since you've already stated this in the original post to arch-general, 
I don't know why you need to repeat it again, but okay.)

If you want to continue talking right past what I say, it will be very 
difficult for me to effectively carry on a conversation with the intent 
of providing help and guidance on the "proper use of signify in PKGBUILDs".

> That way makepkg doesn't think it's a PGP signature. Note that the
> SHA256.sig file has the checksums embedded in the file, as the
> signature/additional comments are at the top and take up at most two
> lines.

I was very much able to download the file and look at it myself. Once 
again, I do not see how that answers my question.

Also: it's essentially a non-detached GnuPG signature in that respect, 
and files with the GnuPG signing data inline in the file itself, rather 
than being properly detached, are just as troublesome as files in 
strange and non-standard crypto tools.

makepkg cannot recognize a foo.tar.gz.gpg file for the same reason 
actually nothing can: the internal tarball headers are obscured by an 
OpenPGP packet section, and you need to fiddle with the files using 
GnuPG first, and doing so will by default write to stdout (and is 
anyways difficult to distinguish from detached signatures without the 
actual file at all).

>> Moreover, what good do the checksums do you, when it's the files
>> themselves that you want to verify?
> Signify verifies the signature and then verifies the checksums of each
> file. While I could just use the sha256sums array, I prefer using
> signify as that is how the OpenBSD project distributes their files
> securely. Since these files can also be downloaded in the clear (FTP),
> verifying them becomes an absolute must.

Since this is apparently a very tough question to answer, maybe 
rewording it will help: who is running signify? According to makepkg, 
this is just "a source file".

You don't need to tell me about the importance of verifying files 
downloaded over FTP. This is not a philosophy class and no one disputed 
the importance of this, so let's just assume we're all on the same page 
and get back to the thread topic: "successfully using signify in a 

That being the topic, would you like to clarify how your proposed model 
for executing the `signify` utility within a makepkg operation would 
work? Because to be honest, that's the only thing I've been asking about.

>> The latter problem is why I'm incredibly frustrated by projects that use
>> PGP, too -- when the only thing they sign is a file containing checksums,
>> and not the actual source file.
> I'm not sure what the problem is here, isn't validating the signature
> and checksums not good enough?

Validating the signature of a file containing checksums, and *not* 
validating the checksums, is exactly what isn't "good enough". makepkg 
has no way to assert that the checksums in a "SHA256" file match the 
sha256sums=() array. If I'm going to copy the upstream project's 
sha256sums, downloading the file I copied them from doesn't provide 
additional security.

Eli Schwartz
Bug Wrangler and Trusted User

More information about the arch-general mailing list