signify [file ... ]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

signify [file ... ]

Andrew-2
Hi Ted !!!

Today I downloaded a fresh SHA256.sig and bsd.rd and successfully
verified them both with signify(1).

--

signify -C [-q] -p pubkey -x sigfile [file ...]

Just wondering if signify(1) is intended to exit 0 ONLY if the [file
...] is within the shell's pwd ?? By chance, I noticed that
/path/to/file will fail on the same bsd.rd controlling for the working
directory.

You can see the same results by (for example):

a) mkdir /home/bench/snaps
b) cd /home/bench/snaps
c) /home/bench/snaps $> (download SHA256.sig and bsd.rd)
d) /home/bench/snaps $> signify -Cp /etc/signify/openbsd-63-base.pub
                        -x SHA256.sig bsd.rd
Signature Verified
bsd.rd: OK

e) /home/bench/snaps $> mv SHA256.sig ..

f) /home/bench/snaps $> signify -Cp /etc/signify/openbsd-63-base.pub
                        -x ../SHA256.sig bsd.rd
Signature Verified
bsd.rd: OK

g) cd ..

h) /home/bench $> signify -Cp /etc/signify/openbsd-63-base.pub
                        -x SHA256.sig snaps/bsd.rd
Signature Verified
snaps/bsd.rd: FAIL

---

I just wanted to bring this to your attention.

Big thanks to you and to Marc for such a great utilty !!! Thanks also to
Ingo for a man page full of really useful examples, especially the one
about "verifing a gzip pipeline." That example really shows off your
great work within the context of what makes un*x so amazing.

Have a great weekend !!!

-A

Reply | Threaded
Open this post in threaded view
|

Re: signify [file ... ]

Ted Unangst-6
Andrew wrote:
> Just wondering if signify(1) is intended to exit 0 ONLY if the [file
> ...] is within the shell's pwd ?? By chance, I noticed that
> /path/to/file will fail on the same bsd.rd controlling for the working
> directory.

Mostly, yes. The filename is compared to the one in the signature file with a
simple comparison.

> h) /home/bench $> signify -Cp /etc/signify/openbsd-63-base.pub
> -x SHA256.sig snaps/bsd.rd
> Signature Verified
> snaps/bsd.rd: FAIL

The name in SHA256.sig is not snaps/bsd.rd, and so there is no match.