Subject: Re: [email@example.com: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Hubert Feyrer <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 10/03/2001 18:55:04
> I wonder if it was possible to make the signature part of the +-files, and
> if present do the sigature checking? Just like what we do for +MESSAGE
> files etc.
It would make verifying the signature a bit messy, since the signature
obviously couldn't cover the +SIGNATURE file; you'd have to be able to
reconstruct the tarball as it was without the +SIGNATURE.
An alternate approach would be to double-wrap things -- have a tarball
containing the package tarball and a +SIGNATURE file, and then unwrap
the inner tarball if the signature verifies.