[arch-general] Harassment by David Runge

admin at progandy.de admin at progandy.de
Mon May 13 16:50:18 UTC 2019

Am 13.05.19 um 13:53 schrieb Justin Capella via arch-general:
> I recognize base64
> but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0=
> in the sig file associated with liblzf... But it's useless to me without
> the extraneous tool I'm not installing. Seeing as git signs with gpg I
> think it's fair to say that's the norm.


The tool he uses is called signify, which is the
"OpenBSD tool to signs and verify signatures on files"

It is packaged in community. I have no opinion on the use of such
signatures in a Linux environment. He has also linked to the signature
and the verification process (see quote below). Theoretically it would
be possible to verify the signatures in a prepare() function, but it
does feel a bit more complicated than directly using a gpg signature.

Signify is the result of a desire to have a signature tool that can be
audited easily, OpenBSD claims gpg implementations are too complicated
for that. [*]


[*] https://www.openbsd.org/papers/bsdcan-signify.html

> On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general <
> arch-general at archlinux.org> wrote:
>> A few of my packages are distributed on http://dist.schmorp.de/, backed up
>> by signify signaturs, in turn backed up by gpg(1), and other means.


> (1) http://dist.schmorp.de/signing-key.txt

More information about the arch-general mailing list