From 897c65ff0fdf00d19511a7a15e57b816d64c40bb Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 28 Mar 2026 13:19:13 +0200 Subject: Sign OpenBSD packages with signify via pkg_sign Use pkg_sign -s signify2 after pkg_create to produce signed packages. The signify private key lives at /etc/signify/custom-pkg.sec on the OpenBSD build host (fishfinger). Co-Authored-By: Claude Opus 4.6 --- Magefile.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Magefile.go b/Magefile.go index c6b04c9..daabc74 100644 --- a/Magefile.go +++ b/Magefile.go @@ -266,8 +266,15 @@ doas pkg_create \ -B gogios-pkg/stage \ -p / \ gogios-pkg/out/gogios-%s.tgz -echo "OpenBSD package built" -`, ver) + +# Sign the package with signify via pkg_sign +mkdir -p gogios-pkg/signed +doas pkg_sign -s signify2 -s /etc/signify/custom-pkg.sec \ + -o gogios-pkg/signed gogios-pkg/out/gogios-%s.tgz +# Replace unsigned with signed +mv gogios-pkg/signed/gogios-%s.tgz gogios-pkg/out/gogios-%s.tgz +echo "OpenBSD package built and signed" +`, ver, ver, ver, ver) if err := os.WriteFile("/tmp/pkgopenbsd.sh", []byte(script), 0o755); err != nil { return err -- cgit v1.2.3