Stuart Henderson wrote: > On 2019/02/23 18:02, Ted Unangst wrote: > > signify -z adds a date= line to the header, but nothing reads it. It's also > > not very useful, since it's outside the signature. It would still not be > > useful, because nothing about the signify design cares about when something > > was signed. It does cause trouble, however, because signing the same thing > > twice results in two different files. Normal signify operation produces > > consistent signatures. > > pkg_add reads this header and copies to the @digital-signature line > in the +CONTENTS file. It is directly user visible too, for the "always > updated" quirks package, the @digital-signature line is read and displayed:
I was trying to find such code, but obviously failed. > I'm not sure what you mean "outside the signature", changing the > date string does cause validation to fail, so it must be covered by > the signature? Ah, it is. Never mind then. The context is that some people are trying to use signify in a determinisitic reproducible way, and the dates keep changing. At first this looked like an unnecessary addition, but if we're using it, then that's how things are.