On 7/21/19 2:19 AM, Stephen Gregoratto via arch-general wrote:
I recently adopted the openbsd-manpages package[1], and wanted to verify
downloaded files using OpenBSD's signify(1) tool. For each release of
OpenBSD, you download the base public key[2], the architecture-specific
files and the SHA256.sig[3] for those files.
The files are verified by running:
signify -Cp openbsd-65-base.pub -x SHA256.sig *.tgz
The problem is that PKGBUILD thinks that the signify signature is a PGP
signature, and tries to verify it against a non-existent file/PGP key.
I've worked around this by renaming SHA256.sig to SHA256.
Have any other packagers/maintainers experienced this problem,
and if so are there any better solutions other than the one I mentioned?
[1] https://aur.archlinux.org/packages/openbsd-manpages/
[2] https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub
[3] https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/SHA256.sig
The non-standard "signify" utility is not supported by makepkg, and
doesn't have a "solution" at all, really. It's never been an issue
before, because as far as I'm aware people don't actually use it in the
wild -- excepting, of course, OpenBSD itself, and you're attempting to
package something produced by OpenBSD, which I suppose explains why you
have such signature files to try verifying.
...
As a matter of curiosity, how does renaming the file from SHA256.sig to
SHA256 help you validate the contents using signify? Moreover, what good
do the checksums do you, when it's the files themselves that you want to
verify?
The latter problem is why I'm incredibly frustrated by projects that use
PGP, too -- when the only thing they sign is a file containing
checksums, and not the actual source file.
--
Eli Schwartz
Bug Wrangler and Trusted User
