On Tue, Oct 02, 2001 at 11:05:31PM -0700, Simon Gerraty wrote:
> >At the moment, the ability to verify packages is limited to those
> >which are not specified by URL. We are looking at removing this
> >restriction.
> 
> Is this because the signatures are delivered separately?  What about a
> "pkg" that wraps the .tgz and its signature into one file?  The
> pkg_add of such a thing (.stgz or whatever) would involve unpacking
> the .tgz and .sig, verifying the signature, and if ok carrying on with
> the .tgz.

The ability for a binary package to be installed using pax or tar is
still a big win, as it can get you out of those delicate little "in
extremis" situations. That's why we decided to detach the signature.
But, yes, we're still looking at removing this restriction.
 
> >% sudo pkg_add -s gpg $PKGREPOSITORY/skill-4.0.tgz
> >gpg: Signature made Fri Sep 21 13:07:56 2001 BST using DSA key ID 26B1CB95
> >gpg: Good signature from "Alistair Crooks "TEST KEY" <agc@pkgsrc.org>"
> >Proceed with addition of /usr/packages/i386/skill-4.0.tgz: [y/n]? y
> >%
> 
> If the signature is good, is there any reason to prompt?

Oh, yes, very much so - just because a signature is "good" doesn't
mean that you trust the signatory.

I have some other patches which should make it into the tree soon
(they're under review at the moment), which give you the ability
to specify signatories who are trusted, and those you definitely
do not trust, which give us the ability to do unattended package
installations with digital signatures.

Regards,
Alistair