Shyft MSYS2 Repository

Stable (recommended)

https://msys2.helset.gotdns.org/stable/ucrt64/

Production releases for supported downstream MSYS2/UCRT64 environments.

Staging

https://msys2.helset.gotdns.org/staging/ucrt64/

Pre-release builds for validation.

Trust model

All published packages and repository metadata are cryptographically signed. Trust must be established by verifying the signing key fingerprint through a trusted channel.

Expected fingerprint:

CFFE BAE1 B25B AD34 C72A 2565 4A12 4000 37DA B695

User ID:

Sigbjørn Helset <sigbjorn.helset@gmail.com>

Never establish trust based solely on data downloaded from this endpoint. Verify the fingerprint via independent, trusted sources.

Quick setup (MSYS2 UCRT64)

Commands shown with $ are intended to be run from an MSYS2 UCRT64 shell. Administrative privileges may be required depending on how the MSYS2 installation is managed.

1. Fetch key

$ curl -O https://msys2.helset.gotdns.org/stable/ucrt64/shyft-release-key.asc

2. Verify fingerprint

See expected output example below if unsure what to look for.

$ gpg --import shyft-release-key.asc

$ gpg --show-keys --with-fingerprint shyft-release-key.asc

3. Add key to pacman keyring

$ pacman-key --add shyft-release-key.asc
$ pacman-key --lsign-key 4A12400037DAB695

Local signing marks the verified key as trusted on this system. Only do this after you have verified the fingerprint through a trusted channel.

4. Add repository

Stable (recommended)

$ tee -a /etc/pacman.conf <<'EOF'

[shyft-stable]
SigLevel = Required DatabaseOptional
Server = https://msys2.helset.gotdns.org/stable/ucrt64
EOF

Staging (optional)

$ tee -a /etc/pacman.conf <<'EOF'

[shyft-staging]
SigLevel = Required DatabaseOptional
Server = https://msys2.helset.gotdns.org/staging/ucrt64
EOF

5. Refresh package databases

$ pacman -Sy

6. Install Shyft

$ pacman -Sy mingw-w64-ucrt-x86_64-shyft

The MSYS2 publication currently provides the Shyft package as: mingw-w64-ucrt-x86_64-shyft

7. Optional: verify provenance

Stable

$ curl -O https://msys2.helset.gotdns.org/stable/ucrt64/PROVENANCE.txt
$ curl -O https://msys2.helset.gotdns.org/stable/ucrt64/PROVENANCE.txt.asc
$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Staging

$ curl -O https://msys2.helset.gotdns.org/staging/ucrt64/PROVENANCE.txt
$ curl -O https://msys2.helset.gotdns.org/staging/ucrt64/PROVENANCE.txt.asc
$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Review the signed provenance file together with package signatures and repository metadata as part of your supply-chain validation.

When verifying signatures with gpg --verify, you may see warnings such as:

WARNING: This key is not certified with a trusted signature
There is no indication that the signature belongs to the owner

This is expected when the key is not part of your personal Web-of-Trust.

In personal or small deployments, it is acceptable to rely on fingerprint verification alone.
In corporate environments, the signing key is typically pre-distributed and trusted, so these warnings do not appear.
If desired, you may locally sign the key using gpg --lsign-key after verifying the fingerprint.

The critical requirement is that the fingerprint matches a trusted source.

Expected output examples

After importing the key and checking the fingerprint, output similar to this is expected:

$ gpg --show-keys --with-fingerprint shyft-release-key.asc
pub   ed25519 2026-04-03 [C] [expires: 2031-04-02]
      CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
uid                      Sigbjørn Helset <sigbjorn.helset@gmail.com>
sub   ed25519 2026-04-03 [S] [expires: 2031-04-02]

When verifying the signed provenance file, output similar to this is expected:

$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt
gpg: Signature made Mon Apr 6 20:32:23 2026 UTC
gpg:                using EDDSA key A0AF2BD11681F281CED2324CBD8CB4F65431F486
gpg: Good signature from "Sigbjørn Helset <sigbjorn.helset@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
     Subkey fingerprint: A0AF 2BD1 1681 F281 CED2  324C BD8C B4F6 5431 F486

The important parts are:

Good signature
the expected primary key fingerprint
the expected user ID

Publication scope and limitations

The MSYS2 publication is intentionally narrower than the Linux publications. At present:

the published package is mingw-w64-ucrt-x86_64-shyft
no separate debug packages are published
the available build-environment information is limited compared to the Linux channels
the published build-environment record is build-image-sbom.txt

Due to limitations in the current Windows build process, less automated build and provenance information is available than for the Linux publications. This should be taken into account in downstream review and validation procedures.

High-assurance setup (recommended for controlled environments)

Verify fingerprint on a separate trusted system
Transfer key via secure channel (USB / offline media)
Download and verify the signed PROVENANCE.txt file
Add and locally sign the key only after verification
Enable repository
Review build-image-sbom.txt as part of downstream assessment

For regulated or audited environments, treat repository bootstrap as a controlled trust-establishment process. For MSYS2 publications, downstream users should also account for the more limited build metadata currently available from the Windows build flow.

Repository contents

Signed package archives
Repository database files
shyft-release-key.asc
PROVENANCE.txt
PROVENANCE.txt.asc
build-image-sbom.txt

Verify package signatures, repository metadata, the signed provenance document, and the published build-environment record as part of your supply-chain validation.

Notes

Use stable for normal operation
Use staging for validation and pre-release testing
Recommended Shyft environments are Linux-based, especially Arch Linux and Fedora
Keys may rotate — always verify against official documentation