Subject: Re: [email@example.com: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Alistair Crooks <firstname.lastname@example.org>
From: Simon Gerraty <email@example.com>
Date: 10/02/2001 23:05:31
On Tue, 25 Sep 2001 13:25:58 +0200, Alistair Crooks wrote:
>The attached changes to pkg_add(1) add the ability to verify the
>contents of a binary package by using digital signatures. This
>has been accomplished by adding a "-s verification-type" command
>line argument to pkg_add.
>At the moment, the ability to verify packages is limited to those
>which are not specified by URL. We are looking at removing this
Is this because the signatures are delivered separately? What about a
"pkg" that wraps the .tgz and its signature into one file? The
pkg_add of such a thing (.stgz or whatever) would involve unpacking
the .tgz and .sig, verifying the signature, and if ok carrying on with
>% sudo pkg_add -s gpg $PKGREPOSITORY/skill-4.0.tgz
>gpg: Signature made Fri Sep 21 13:07:56 2001 BST using DSA key ID 26B1CB95
>gpg: Good signature from "Alistair Crooks "TEST KEY" <firstname.lastname@example.org>"
>Proceed with addition of /usr/packages/i386/skill-4.0.tgz: [y/n]? y
If the signature is good, is there any reason to prompt?