User:Kpcyrd/Minisign package guidelines

Arch package guidelines

32-bit – CLR – CMake – Cross – DKMS – Eclipse – Electron – Font – Free Pascal – GNOME – Go – Haskell – Java – KDE – Kernel – Lisp – Meson – MinGW – Node.js – Nonfree – OCaml – Perl – PHP – Python – R – Ruby – Rust – Shell – VCS – Web – Wine

minisign is a tool to sign files and verify digital signatures. It is used by some software projects to sign release artifacts like source code tar balls. This page documents how to verify them in a PKGBUILD.

Use in PKGBUILD

Signatures can be verified with the minisign package.

PKGBUILD

makedepends=('minisign')
source=("https://example.com/${pkgname}-${pkgver}.tar.gz"{,.minisig})
sha512sums=('17e8638e46d8f6f7d024fe5559eccf2b8baf23e143fadd472a7d29d228b186d86686a5e6920385fe2020729119a5f12f989c3a782afbd05a8db4819bb18666ef'
            'e0cf76872079c295d71cf60d7bf95dc67d2285f4786b8bc47bbc6c0adbef05f6e0cb14a5100b8a1b7115eeed70cfd2f6574e198df620bbe60cf884187e6a903f')
_validminisignkey='RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

prepare() {
  # verify the download with minisign
  # note the archive has already been unpacked at this point
  minisign -Vm "${pkgname}-${pkgver}.tar.gz" -P "$_validminisignkey"
}