Discussion:
signify [file ... ]
(too old to reply)
Andrew
2018-03-10 23:00:29 UTC
Permalink
Raw Message
Hi Ted !!!

Today I downloaded a fresh SHA256.sig and bsd.rd and successfully
verified them both with signify(1).

--

signify -C [-q] -p pubkey -x sigfile [file ...]

Just wondering if signify(1) is intended to exit 0 ONLY if the [file
...] is within the shell's pwd ?? By chance, I noticed that
/path/to/file will fail on the same bsd.rd controlling for the working
directory.

You can see the same results by (for example):

a) mkdir /home/bench/snaps
b) cd /home/bench/snaps
c) /home/bench/snaps $> (download SHA256.sig and bsd.rd)
d) /home/bench/snaps $> signify -Cp /etc/signify/openbsd-63-base.pub
-x SHA256.sig bsd.rd
Signature Verified
bsd.rd: OK

e) /home/bench/snaps $> mv SHA256.sig ..

f) /home/bench/snaps $> signify -Cp /etc/signify/openbsd-63-base.pub
-x ../SHA256.sig bsd.rd
Signature Verified
bsd.rd: OK

g) cd ..

h) /home/bench $> signify -Cp /etc/signify/openbsd-63-base.pub
-x SHA256.sig snaps/bsd.rd
Signature Verified
snaps/bsd.rd: FAIL

---

I just wanted to bring this to your attention.

Big thanks to you and to Marc for such a great utilty !!! Thanks also to
Ingo for a man page full of really useful examples, especially the one
about "verifing a gzip pipeline." That example really shows off your
great work within the context of what makes un*x so amazing.

Have a great weekend !!!

-A
Ted Unangst
2018-03-12 02:30:46 UTC
Permalink
Raw Message
Post by Andrew
Just wondering if signify(1) is intended to exit 0 ONLY if the [file
...] is within the shell's pwd ?? By chance, I noticed that
/path/to/file will fail on the same bsd.rd controlling for the working
directory.
Mostly, yes. The filename is compared to the one in the signature file with a
simple comparison.
Post by Andrew
h) /home/bench $> signify -Cp /etc/signify/openbsd-63-base.pub
-x SHA256.sig snaps/bsd.rd
Signature Verified
snaps/bsd.rd: FAIL
The name in SHA256.sig is not snaps/bsd.rd, and so there is no match.
Loading...