User:Kpcyrd/Signify package guidelines
Arch package guidelines
32-bit – CLR – CMake – Cross – DKMS – Eclipse – Electron – Font – Free Pascal – GNOME – Go – Haskell – Java – KDE – Kernel – Lisp – Meson – MinGW – Node.js – Nonfree – OCaml – Perl – PHP – Python – R – Ruby – Rust – Shell – VCS – Web – Wine
signify is a tool developed by the OpenBSD project to sign and verify signatures on files. It is used by some software projects to sign release artifacts like source code tar balls. This page documents how to verify them in a PKGBUILD.
Use in PKGBUILD
Signatures can be verified with the signify package.
PKGBUILD
makedepends=('signify')
source=("https://example.com/${pkgname}/${pkgname}-${pkgver}.tar.gz"
# the file must not end in .sig or makepkg is automatically going to attempt to verify it as a pgp signature
"${pkgname}-${pkgver}.tar.gz.signature::https://example.com/${pkgname}/${pkgname}-${pkgver}.tar.gz.sig"
"https://example.com/signing-key.pub")
sha512sums=('701f70245a11e7cf3412b14ed26bf7b1464512d5b0cf3f913e70ebfdfe20574b8ebbae5a78f4b56ac0034d54830380309cac3057ca00a8028edbde3d091141f5'
'b86a7be7fa2bca713a68f9ca08ed881d0e7ecc4b9d7ab27290e9897f865d99b7eb5bd9b73e16bd34b5763dd173bf6c91c4ad6305cc190c3460f108c9f6df2b5a'
'a09a434387e22612a9225ddfa444044977712c6410efe8a77a33d8aa607bd1acbef2a1da08b62e21a4b070f0974ba94ae907ac0452b5d060e33a1c051a7780e4')
b2sums=('b84494706c97861f1cbf9e70129ee25df05e873225bd8a971d6e874822c84532528d04186847cced0a8c13322d1bab7578e48552bd2fa196ca8f9b5d0576b692'
'4bf44b00293c4288659593daa5a57b69de88e695cfbca4e0052b0ece80ea39361eff2ef4a02f9b65355affa6b40eabb32ab683b62a824f20178fc019134a7efe'
'6d6bd90b77e67ccb876f0c78c710c9e1b82767a19aeadaac9310e5628b791586fc8475ad5179eaa2fee386ae80aae916226167ec92c5af309bba4052238326c8')
prepare() {
# verify the download with signify
# note the archive has already been unpacked at this point
signify -V -p signing-key.pub -x "${pkgname}-${pkgver}.tar.gz.signature" -m "${pkgname}-${pkgver}.tar.gz"
}