Subject: Re: [ CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Alistair Crooks <>
From: Simon Gerraty <>
List: tech-pkg
Date: 10/02/2001 23:05:31
On Tue, 25 Sep 2001 13:25:58 +0200, Alistair Crooks wrote:
>The attached changes to pkg_add(1) add the ability to verify the
>contents of a binary package by using digital signatures. This
>has been accomplished by adding a "-s verification-type" command
>line argument to pkg_add.


>At the moment, the ability to verify packages is limited to those
>which are not specified by URL. We are looking at removing this

Is this because the signatures are delivered separately?  What about a
"pkg" that wraps the .tgz and its signature into one file?  The
pkg_add of such a thing (.stgz or whatever) would involve unpacking
the .tgz and .sig, verifying the signature, and if ok carrying on with
the .tgz.

>% sudo pkg_add -s gpg $PKGREPOSITORY/skill-4.0.tgz
>gpg: Signature made Fri Sep 21 13:07:56 2001 BST using DSA key ID 26B1CB95
>gpg: Good signature from "Alistair Crooks "TEST KEY" <>"
>Proceed with addition of /usr/packages/i386/skill-4.0.tgz: [y/n]? y

If the signature is good, is there any reason to prompt?