Bug#773850: ITP: signify-openbsd -- Lightweight cryptographic signing and verifying tool
* Riley:
> Similar to GNU Privacy Guard (GPG), signify is the tool which
> OpenBSD uses to cryptographically sign its releases, so that
> you can be sure that you are actually getting a release made by
> OpenBSD, as opposed to a malicious forgery designed to look
> the same.
You can't use the package as-is for verification because it does not
ship the OpenBSD signing keys (and rightly so). This is different
from OpenBSD where the signing keys are baked into the distribution
(but obviously, you have to do that leap of faith just once, same with
Debian, more or less).
> Signify's usage is not limited to OpenBSD's releases, however -
> it can be used to sign any software.
(And not just software.)
> So that it will work on Linux, the version of signify provided
> in this package is not exactly the same as the version provided
> in OpenBSD's CVS tree; however the upstream changes are
> frequently merged.
That's not actually true once this package ends up in a stable
release.
There's been a recent change which you should pick up (“fingerprints”
are no more).
Reply to: