On Fri, Apr 26, 2019 at 02:49:57PM -0600, Theo de Raadt wrote: > Ted Unangst <t...@tedunangst.com> wrote: > > > Simplify examples section. The magic recipe is contained in sysupgrade, so > > we > > can omit it, and instead add a .xr to sysupgrade.8. > > > > > > Index: signify.1 > > =================================================================== > > RCS file: /home/cvs/src/usr.bin/signify/signify.1,v > > retrieving revision 1.46 > > diff -u -p -r1.46 signify.1 > > --- signify.1 23 Mar 2019 07:10:06 -0000 1.46 > > +++ signify.1 26 Apr 2019 20:32:24 -0000 > > @@ -166,18 +166,6 @@ Sign a file, specifying a signature name > > Verify a signature, using the default signature name: > > .Dl $ signify -V -p key.pub -m generalsorders.txt > > .Pp > > -Verify a release directory containing > > -.Pa SHA256.sig > > -and a full set of release files: > > -.Bd -literal -offset indent -compact > > -$ signify -C -p /etc/signify/openbsd-66-base.pub -x SHA256.sig > > -.Ed > > -.Pp > > -Verify a bsd.rd before an upgrade: > > -.Bd -literal -offset indent -compact > > -$ signify -C -p /etc/signify/openbsd-66-base.pub -x SHA256.sig bsd.rd > > -.Ed > > -.Pp > > Sign a gzip archive: > > .Bd -literal -offset indent -compact > > $ signify -Sz -s key-arc.sec -m in.tgz -x out.tgz > > Please do not delete those chunks. > > I use them every 6 months to verify I have constructed correct release > directories. > > I am not going to read the internals of sysupgrade to determine this. I > am not going to use sysupgrade to verify my release directories are > correct, since they directories are not yet flowing to mirrors and > are hiding on some darknet. > > I know this recipe is in this manual page, so I use it. > > Removing it and saying "Oh some code somewhere does it", is irresponsible, > it forces peoplt to use just that specific chunk of code. Now everyone > has to use sysupgrade? What if someone wants to do it manually? Oh I get > it, they'll skip the verification step..... >
I concur, I find this examples very helpful -- :wq Claudio
