@chrko - strange that you're running into that. Albeit a historical feature, gpg may assume the first argument to --verify
is a detatched signature, then it will try to assume the signed data by stripping some suffixes from the first argument to --verify
(--verify-files
is just shorthand for --multifile --verify
).
example, gpg assuming signed data:
$ gpg --verify-files src/op.sig
gpg: assuming signed data in 'src/op'
gpg: Signature made Tue 19 Aug 2025 11:22:08 AM PDT
...
Going through the gpg man page: it heavily discourages relying on that historical feature and to explicitly specify the signed data, it mentions --multifile
may not be used to verify detached signatures, and plainly, there isn't a reason to use --multifile
when there's only one signature to verify.
I'm in agreement that it probably should be changed to gpg --verify ${srcdir}/op.sig ${srcdir}/op
. 2.32.0-2 will be released shortly with this change; please let me know if there are further issues.
Pinned Comments
slurpee commented on 2022-03-22 11:18 (UTC) (edited on 2025-07-10 04:49 (UTC) by slurpee)
As of the
2.24.0-2
release, Zsh shell completion is no longer provided by the package to mirror the official packages. Users that wish to use shell completion can add a line to their shell's dotfile.See the official docs for instructions specific to your shell: https://developer.1password.com/docs/cli/reference/commands/completion/
It is recommended to verify the authenticity of the binary by using Agilebits's PGP code signing key. Their public key ID is published in the install documentation. Agilebits recently renewed their PGP key; if GPG reports the key has expired, simply run the receive command again and trust as you see fit.