Chicago pointed out in https://bugs.gentoo.org/924895#c5: > Are y'all testing this with the verify-sig USE flag enabled? ... > * dyndns-samples.tbz2 BLAKE2B SHA512 size ;-) ... ... > * The following distfiles lack detached signatures: > * dyndns-samples.tbz2 Aha, good catch. Yes, I was, but not with USE=doc enabled, which adds the distfile mirror://gentoo/dyndns-samples.tbz2 And there does not appear to be a corresponding signature available for that file. Doing some spelunking, it looks like dyndns-samples.tbz2 was first added to files/ in 2002-06-29. It first got a digest entry 2003-04-06, using md5 which is now deprecated, but the currently served dyndns-samples.tbz2 has the same md5sum. https://mgorny.pl/articles/verify-sig-by-example.html covers the case of having some unsigned distfiles (calls out Gentoo patchsets as an example, in fact). In that case, explicitly call verify-sig_* helpers in src_unpack() for the files that have signatures. I'll test & prepare a PR for that.
Thank you sir!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fec12a1db44041aa37ed5acc198ef70d8b265afa commit fec12a1db44041aa37ed5acc198ef70d8b265afa Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2024-02-19 17:45:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-19 20:22:14 +0000 net-dns/bind: Fix USE=doc+verify-sig Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/924995 Bug: https://bugs.gentoo.org/924895 Closes: https://github.com/gentoo/gentoo/pull/35429 Signed-off-by: Sam James <sam@gentoo.org> net-dns/bind/bind-9.16.48.ebuild | 7 +++++++ 1 file changed, 7 insertions(+)
