[arch-general] Harassment by David Runge
admin at progandy.de
admin at progandy.de
Mon May 13 16:50:18 UTC 2019
Am 13.05.19 um 13:53 schrieb Justin Capella via arch-general:
...
> I recognize base64
> but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0=
> in the sig file associated with liblzf... But it's useless to me without
> the extraneous tool I'm not installing. Seeing as git signs with gpg I
> think it's fair to say that's the norm.
>
...
The tool he uses is called signify, which is the
"OpenBSD tool to signs and verify signatures on files"
It is packaged in community. I have no opinion on the use of such
signatures in a Linux environment. He has also linked to the signature
and the verification process (see quote below). Theoretically it would
be possible to verify the signatures in a prepare() function, but it
does feel a bit more complicated than directly using a gpg signature.
Signify is the result of a desire to have a signature tool that can be
audited easily, OpenBSD claims gpg implementations are too complicated
for that. [*]
--
ProgAndy
[*] https://www.openbsd.org/papers/bsdcan-signify.html
> On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general <
> arch-general at archlinux.org> wrote:
>
>> A few of my packages are distributed on http://dist.schmorp.de/, backed up
>> by signify signaturs, in turn backed up by gpg(1), and other means.
>>
...
>
> (1) http://dist.schmorp.de/signing-key.txt
More information about the arch-general
mailing list