Am 13.05.19 um 13:53 schrieb Justin Capella via arch-general: ... > I recognize base64 > but RWSUBDizLm/GKcGyJf84aGAXKuZLjXNJrUezGuLaqd89R+rQmlFz/L42V8xe78eOx7kyXAJ3rPF30MUQpBayUSkof3KQxE35CA0= > in the sig file associated with liblzf... But it's useless to me without > the extraneous tool I'm not installing. Seeing as git signs with gpg I > think it's fair to say that's the norm. > ... The tool he uses is called signify, which is the "OpenBSD tool to signs and verify signatures on files" It is packaged in community. I have no opinion on the use of such signatures in a Linux environment. He has also linked to the signature and the verification process (see quote below). Theoretically it would be possible to verify the signatures in a prepare() function, but it does feel a bit more complicated than directly using a gpg signature. Signify is the result of a desire to have a signature tool that can be audited easily, OpenBSD claims gpg implementations are too complicated for that. [*] -- ProgAndy [*] https://www.openbsd.org/papers/bsdcan-signify.html > On Sat, May 11, 2019, 9:20 AM Marc Lehmann via arch-general < > arch-general@xxxxxxxxxxxxx> wrote: > >> A few of my packages are distributed on http://dist.schmorp.de/, backed up >> by signify signaturs, in turn backed up by gpg(1), and other means. >> ... > > (1) http://dist.schmorp.de/signing-key.txt
