Sign OpenBSD packages with signify via pkg_sign

Use pkg_sign -s signify2 after pkg_create to produce signed packages. The signify private key lives at /etc/signify/custom-pkg.sec on the OpenBSD build host (fishfinger). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-03-28 13:19:13 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-28 13:19:13 +0200
commit: 897c65ff0fdf00d19511a7a15e57b816d64c40bb (patch)
tree: 36ecf2170d633b33f7cb548452b5325f6ea86753 /Magefile.go
parent: 4c35c805e6f2c4cb0f55123889b3b33cd447f70f (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/Magefile.go b/Magefile.go
index c6b04c9..daabc74 100644
--- a/Magefile.go
+++ b/Magefile.go
@@ -266,8 +266,15 @@ doas pkg_create \
     -B gogios-pkg/stage \
     -p / \
     gogios-pkg/out/gogios-%s.tgz
-echo "OpenBSD package built"
-`, ver)
+
+# Sign the package with signify via pkg_sign
+mkdir -p gogios-pkg/signed
+doas pkg_sign -s signify2 -s /etc/signify/custom-pkg.sec \
+    -o gogios-pkg/signed gogios-pkg/out/gogios-%s.tgz
+# Replace unsigned with signed
+mv gogios-pkg/signed/gogios-%s.tgz gogios-pkg/out/gogios-%s.tgz
+echo "OpenBSD package built and signed"
+`, ver, ver, ver, ver)
 
 	if err := os.WriteFile("/tmp/pkgopenbsd.sh", []byte(script), 0o755); err != nil {
 		return err
author	Paul Buetow <paul@buetow.org>	2026-03-28 13:19:13 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-28 13:19:13 +0200
commit	897c65ff0fdf00d19511a7a15e57b816d64c40bb (patch)
tree	36ecf2170d633b33f7cb548452b5325f6ea86753 /Magefile.go
parent	4c35c805e6f2c4cb0f55123889b3b33cd447f70f (diff)