Well, sdk stumbled upon it (see docbooks-dsssl-1.79.tgz in snapshots right now)
Turns out that, if the archive is *exactly* a multiple of 64KB, we will error out at EOF. I believe keeping the check for short reads and exiting as well for files that do not match 64KB lengths is the right thing to do. (note that this does not affect the security of actual packages in any way, since the important verification, namely only passing signed checksummed data through the pipe, is preserved) 0kay ? Index: zsig.c =================================================================== RCS file: /cvs/src/usr.bin/signify/zsig.c,v retrieving revision 1.18 diff -u -p -r1.18 zsig.c --- zsig.c 22 Dec 2019 06:37:25 -0000 1.18 +++ zsig.c 22 Apr 2023 09:00:11 -0000 @@ -160,6 +160,8 @@ copy_blocks(int fdout, int fdin, const c if (more == 0) break; } + if (n == 0) + break; SHA512_256Data(buffer, n, output); if (endsha - sha < SHA512_256_DIGEST_STRING_LENGTH-1) errx(4, "signature truncated");