Re: pkgsrc signature verification?

[6E7368 <6E7368%protonmail.com@localhost>]

Thanks Greg, it's been a while since I've been on a mailing list and I didn't think of it as a platform-specific question. I'm on a fresh install of netbsd 9.0 on a rpi3b+ with sources from anoncvs.netbsd.org without any configuration besides users, passwords, hostname and disabling sshd.

I don't know if this is the best place to ask this, but shouldn't pkgsrc check for netpgpverify in $PATH and use that by default if it's there? Or at least print something to stdout? I remember a message printed about installing gnupg to verify downloads but it said nothing about netpgpverify. (I've rebooted since and I don't have shell history saved).



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, August 25, 2020 5:05 AM, Greg Troxel <gdt%lexort.com@localhost> wrote:

> 6E7368 6E7368%protonmail.com@localhost writes:
>
> > I'm new to netbsd and ran into some trouble trying to set up signature
> > verification with pkgsrc. It seems like you have to install gpg to
> > verify signatures, but there's no way to verify gpg itself. What's the
> > standard procedure to have signature verification working before
> > installing anything? Thanks.
>
> This is confusing and underdocumented. Take the following with a grain
> of salt.
>
> On NetBSD, pkg_add uses netpgpverify.
>
> You didn't say what OS, what version, what pkgsrc branch, where you are
> getting binary packages from, and any non-default configuration.