On 2019/02/23 18:02, Ted Unangst wrote: > signify -z adds a date= line to the header, but nothing reads it. It's also > not very useful, since it's outside the signature. It would still not be > useful, because nothing about the signify design cares about when something > was signed. It does cause trouble, however, because signing the same thing > twice results in two different files. Normal signify operation produces > consistent signatures.
pkg_add reads this header and copies to the @digital-signature line in the +CONTENTS file. It is directly user visible too, for the "always updated" quirks package, the @digital-signature line is read and displayed: # pkg_add -u quirks quirks-3.104 signed on 2019-02-23T23:46:16Z And at least some users make use of this to know when the package build was done. I'm not sure what you mean "outside the signature", changing the date string does cause validation to fail, so it must be covered by the signature?
