First real backup with bakelite is a success! 😀👍 A few hiccups (like blocking on trying to open fifos) led to bug fixes (unpushed as of now) in the process.
Conversation
Also found out signify(1) refuses to open its key through symlinks. 😡🤬 Which almost failed the whole thing at the end, but it turns out I made it so when just signature fails, you still get a successful commit you can do an incremental 0-difference on with the signature added.
2
3
Replying to
Main issue with signify is that they don't use pre-hashing so the memory usage scales to the size of the overall file and it has bad performance.
I don't really understand why they insisted on only using ed25519 without doing pre-hashing like pretty much any normal approach.
2
2
It has support for verifying BSD checksum files listing cryptographic hashes of one or more files which we use for GrapheneOS releases to work around not having pre-hashing. Otherwise it would take a gigabyte of memory to verify the release and would take far more time...
It's not like signify would be any less elegant if it ran the files through SHA-2 or BLAKE before signing them. It could have had the exact same format. It's also a bit strange that the public keys and signatures made with them have a 64-bit key id embedded. UX doesn't use it.
1