Questions about SIGNING.md

[bitfl0wer]

I've been trying to figure out how to correctly do stuff to make binstall find my binary + signature, but I feel like the documentation on how to do it is a little too confusing for me.

I have tried:

• Making a .tar file containing the binary and the signature file
• Making a .tar fine containing the binary, and putting the signature file in the same directory as the .tar file
• Changing the pkg-url field

And none of these resulted in binstall being able to pick up my binary as a signed something.

In short, what do I need to do to get cargo-binstall to pick up a signed, compiled binary (built with algorithm and pubkey information) from a repository of my choosing? I'd like to be able to point binstall to a specific URL from where it is supposed to download a package and the corresponding signature from.

I am asking this having read the documentation, but not having understood it entirely 😵‍💫

I appreciate your work and am working on a tool to make managing binstall binaries easier, and I am stuck on this last thing

[passcod]

It would be great to have logs or even your package for investigating this, as otherwise we're reduced to making guesses.

Just checking: you did put package.metadata.binstall.signing in your Cargo.toml, right? And you either published it or configured binstall to use your local copy for testing?

The signature then needs to be a minisign .sig file of the entire thing that's downloaded (your tar file). It can't be appended or included into the tar itself.

[bitfl0wer]

You can see all the packages I have tried the install process with here: My test-binstall-repo. While I am pretty sure that my first one or two attempts are very incorrect, the logs have always been the same-ish:

cargo binstall --only-signed exa --force --pkg-url https://github.com/bitfl0wer/warehouseify-test-repo/releases/download/vreek/exa-0.10.1-2025-05-22T14.19.18.759Z.tar
 INFO resolve: Resolving package: 'exa'
 WARN Crate [email protected] on target x86_64-unknown-linux-gnu does not specify pkg-fmt but its pkg-url also does not contain key format, archive-format or archive-suffix.
binstall was able to guess that from pkg-url, but just note that it could be wrong:
pkg-fmt="Tar", pkg-url="https://github.com/bitfl0wer/warehouseify-test-repo/releases/download/vreek/exa-0.10.1-2025-05-22T14.19.18.759Z.tar"
 WARN resolve: Error while downloading and extracting from fetcher github.com: No signature present
 WARN Crate [email protected] on target x86_64-unknown-linux-musl does not specify pkg-fmt but its pkg-url also does not contain key format, archive-format or archive-suffix.
binstall was able to guess that from pkg-url, but just note that it could be wrong:
pkg-fmt="Tar", pkg-url="https://github.com/bitfl0wer/warehouseify-test-repo/releases/download/vreek/exa-0.10.1-2025-05-22T14.19.18.759Z.tar"
 WARN resolve: Error while downloading and extracting from fetcher github.com: No signature present
ERROR Failed to download signature: Failed to download from remote: could not GET https://github.com/cargo-bins/cargo-quickinstall/releases/download/exa-0.10.1/exa-0.10.1-x86_64-unknown-linux-gnu.tar.gz.sig: HTTP status client error (404 Not Found) for url (https://github.com/cargo-bins/cargo-quickinstall/releases/download/exa-0.10.1/exa-0.10.1-x86_64-unknown-linux-gnu.tar.gz.sig)
 WARN resolve: Error while checking fetcher QuickInstall: No signature present
ERROR Failed to download signature: Failed to download from remote: could not GET https://github.com/cargo-bins/cargo-quickinstall/releases/download/exa-0.10.1/exa-0.10.1-x86_64-unknown-linux-musl.tar.gz.sig: HTTP status client error (404 Not Found) for url (https://github.com/cargo-bins/cargo-quickinstall/releases/download/exa-0.10.1/exa-0.10.1-x86_64-unknown-linux-musl.tar.gz.sig)
 WARN resolve: Error while checking fetcher QuickInstall: No signature present
 WARN The package exa v0.10.1 will be installed from source (with cargo)
Do you wish to continue? [yes]/no

My Cargo.toml has looked as such:

[package.metadata.binstall]
pkg_fmt = "tar"
pkg_url = "{ repo }/releases/download/{ version }/"

[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "RWQiiqKPv2GEs2Z3jnn2iqA9/E7Mo5/YNvp2pJ/fxylm2BumXygXJMhx"

and, previously,

# No pkg_fmt etc. settings
[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "RWQiiqKPv2GEs2Z3jnn2iqA9/E7Mo5/YNvp2pJ/fxylm2BumXygXJMhx"

In accordance with what you have told me in your reply, I have changed my code to first create the .tar file, then create a signature of the tar file, instead of what I've done before (signing the binary and putting it into a .tar archive). Sadly, it still does not seem to work: Here's a link to some .tar/.sigs which I have produced using this correcter method.

And you either published it or configured binstall to use your local copy for testing?

I am not exactly sure what the latter part entails, other than setting --pkg-url in the cli.

[NobodyXu]

https://github.com/bitfl0wer/warehouseify-test-repo/releases/tag/vShower

I think this release looks correct to me?

[passcod]

Well, you're trying to package exa. The way signing is authenticated is that binstall looks up the exa package metadata from the registry, and uses that to obtain the public key.

In this instance, if I look up the crates.io-published Cargo.toml, I find no binstall metadata.

This means that binstall has no way to find your public key. (It also tries to install from quickinstall, where the public key is statically known, but that's unrelated.)

Assuming you're doing this for testing, you need to specify your local Cargo.toml with --manifest-path, so that binstall can use the public key contained there. When publishing your own packages, you'll need to ensure the public key is in the registry-published Cargo.toml.

It should also be possible to make this work with your own registry, provided it serves (modified) crate metadata that contains your key (and may as well contain pkg-url etc instead of providing that on the command line).