Welcome to CRUX bug tracking.

FS#1797 - Replace upstream for signify

Attached to Project: CRUX
Opened by Steffen Nurpmeso (steffen) - Wednesday, 11 March 2020, 17:23 GMT
Last edited by Juergen Daubert (jue) - Monday, 01 June 2020, 12:00 GMT
Task Type New Port Version
Category ports → core/opt
Status New
Assigned To No-one
Operating System CRUX
Severity Low
Priority Normal
Reported Version 3.5
Due in Version 3.6
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


The port stenur/signify replaces core/signify with a different upstream which brings in a lean build system and quite some years of code maintenance, including fixes (i see buffer termination, for example). It is an active code base (kept in sync with "super-upstream").
This task depends upon

Comment by Steffen Nurpmeso (steffen) - Monday, 01 June 2020, 12:37 GMT
Pkgfile as requested by jue@ (Flyspray wants comment..)
   Pkgfile (0.6 KiB)
Comment by Juergen Daubert (jue) - Friday, 17 July 2020, 16:14 GMT
Unfortunately this version of signify isn't compatible with the one we are using currently. Our version has a build option SIGNIFYROOT, set to "/etc/ports", which simplifies the calls from pkgmk. For sure it's possible to use the signify from outils, but not without modifications of pkgmk.
Comment by Steffen Nurpmeso (steffen) - Friday, 17 July 2020, 19:16 GMT
Interesting. I will look into that.

P.S.: while doing so i recognized that tek's tarball for signify includes an entire graphical font library for T1 fonts, which is very large.

I report back.
Comment by Steffen Nurpmeso (steffen) - Friday, 17 July 2020, 19:21 GMT
You know, this looks like a three line patch.

#?2|kent:signify$ grep -r SIGNIFYRO /tmp/x/signify-0.1p1/
/tmp/x/signify-0.1p1/signify.c:#ifndef SIGNIFYROOT
/tmp/x/signify-0.1p1/signify.c: #define SIGNIFYROOT "/etc/signify/"
/tmp/x/signify-0.1p1/signify.c: const char *safepath = SIGNIFYROOT;
#?0|kent:signify$ grep -r safepath
signify.c: const char *safepath = "/etc/signify";
signify.c: safepath, pubkeyfile) >= sizeof(keypath))

I will update my port accordingly in five minutes.
Comment by Steffen Nurpmeso (steffen) - Friday, 17 July 2020, 19:38 GMT
Should be fine now.
Comment by Juergen Daubert (jue) - Saturday, 18 July 2020, 07:18 GMT
No, doesn't work:

$:> cd /usr/ports/core/zlib/
$:> pkgmk -cs
=======> ERROR: Signature mismatch found:
MISMATCH must specify pubkey
MISMATCH signify -G [-n] [-c comment] -p pubkey -s seckey
MISMATCH signify -S [-enz] [-x sigfile] -s seckey -m message
MISMATCH signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message
Comment by Steffen Nurpmeso (steffen) - Saturday, 18 July 2020, 16:08 GMT
I copy from IRC. Will do what i said, will be up in ten minutes.

17:56 < stenur> Rg signify. Sorry, doing that from scratch now (worked here for signify itself).
17:56 < stenur> 'Thing is, that signify behaviour changed in September 2016!
17:57 < stenur> .. in "there's a hidden feature to infer the public key from the signature comment[..]" (git hash e4c55632f25, and the change thereafter)
18:00 < stenur> So they now accept that public key _only_ if it does _not_ include a path name at all, then they prepend /etc/signify (in CRUX SIGNIFYROOT=/etc/ports).
18:01 < stenur> So this counteracts CRUX .fingerprint usage, as that always includes the full path to the key.
18:05 < stenur> (Which was the former behaviour: need full path, test this against SIGNIFYROOT and ensure no ../ relative elusion happens.)
18:06 < stenur> I would say i reinstantiate parts of that to keep old .fingerprint format usable, and with 3.7 we can drop that patch and go for plain upstream.
Comment by Steffen Nurpmeso (steffen) - Saturday, 18 July 2020, 16:09 GMT
18:09 < stenur> (This is why it worked for me: i created the signature with the new signify, and thus verification succeeded.)