>Synopsis: clarify what is the checksum list file - now confusing >Category: documentation
>Description: signify(1) states for -C: Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256(1). Such instruction may lead to an assumption that the sigfile (which is also called the signed checksum list here) is just a signature file of the SHA256 file. Then the `signify -C ...` command fails as it does not have the checksums in the sigfile and itself does not read the original (unsigned) checksum list file. However, the sigfile actually is rather the signature file of the SHA256 file appended with the contents of the SHA256 file. (Then the original SHA256 file is no longer necessary for use with signify.) So the checksums are embedded in the signature file. >Fix: I believe the abovementioned paragraph of signify(1) might be improved like: Verify signature of a signed checksum list, and then verify the sha256 checksum for each file. If no files are specified, all of them are checked. The sigfile (i.e. the signed checksum list) is the signature of the SHA256 file appended with the contents of the actual SHA256 file. See examples below. There should also be an example how to generate the signed checksum list file: sha256 -h SHA256 * signify -S -s key.sec -m SHA256 cat SHA256 >> SHA256.sig Thanks, Jan Šmydke
