Subject: Re: [ CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Hubert Feyrer <>
From: Bill Sommerfeld <>
List: tech-pkg
Date: 10/03/2001 18:55:04
> I wonder if it was possible to make the signature part of the +-files, and
> if present do the sigature checking?  Just like what we do for +MESSAGE
> files etc.

It would make verifying the signature a bit messy, since the signature
obviously couldn't cover the +SIGNATURE file; you'd have to be able to
reconstruct the tarball as it was without the +SIGNATURE.

An alternate approach would be to double-wrap things -- have a tarball
containing the package tarball and a +SIGNATURE file, and then unwrap
the inner tarball if the signature verifies.