Minisign
aqua supports verifying packages with minisign to install some packages securely. For example, zig is signed by minisign.
Example
packages:
- type: http
repo_owner: ziglang
repo_name: zig
# ...
minisign:
type: http
url: https://ziglang.org/builds/zig-{{.OS}}-{{.Arch}}-{{.Version}}.{{.Format}}.minisig
public_key: "RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"
Verifying checksum files using Minisign.
packages:
- type: github_release
repo_owner: bufbuild
repo_name: buf
asset: buf-{{.OS}}-{{.Arch}}.{{.Format}}
format: tar.gz
files:
- name: buf
src: buf/bin/buf
replacements:
amd64: x86_64
darwin: Darwin
linux: Linux
windows: Windows
checksum:
type: github_release
asset: sha256.txt
algorithm: sha256
minisign: # Minisign
type: github_release
asset: sha256.txt.minisig
public_key: RWQ/i9xseZwBVE7pEniCNjlNOeeyp4BQgdZDLQcAohxEAH5Uj5DEKjv6
overrides:
- goos: linux
replacements:
arm64: aarch64