User:Kpcyrd/Minisign package guidelines
Arch package guidelines
32-bit – CLR – CMake – Cross – DKMS – Eclipse – Electron – Font – Free Pascal – GNOME – Go – Haskell – Java – KDE – Kernel – Lisp – Meson – MinGW – Node.js – Nonfree – OCaml – Perl – PHP – Python – R – Ruby – Rust – Shell – VCS – Web – Wine
minisign is a tool to sign files and verify digital signatures. It is used by some software projects to sign release artifacts like source code tar balls. This page documents how to verify them in a PKGBUILD.
Use in PKGBUILD
Signatures can be verified with the minisign package.
PKGBUILD
makedepends=('minisign') source=("https://example.com/${pkgname}-${pkgver}.tar.gz"{,.minisig}) sha512sums=('17e8638e46d8f6f7d024fe5559eccf2b8baf23e143fadd472a7d29d228b186d86686a5e6920385fe2020729119a5f12f989c3a782afbd05a8db4819bb18666ef' 'e0cf76872079c295d71cf60d7bf95dc67d2285f4786b8bc47bbc6c0adbef05f6e0cb14a5100b8a1b7115eeed70cfd2f6574e198df620bbe60cf884187e6a903f') _validminisignkey='RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' prepare() { # verify the download with minisign # note the archive has already been unpacked at this point minisign -Vm "${pkgname}-${pkgver}.tar.gz" -P "$_validminisignkey" }