Subject: Re: little hacking project: bulk build checksums
To: Hubert Feyrer <>
From: Alistair Crooks <>
List: tech-pkg
Date: 01/23/2005 16:42:57
On Sun, Jan 23, 2005 at 03:56:35AM +0100, Hubert Feyrer wrote:
> On Sun, 23 Jan 2005, grant beattie wrote:
> >we have the ability to cryptographically sign binary packages, which
> >can be automatically verified by pkg_add.
> I hear that myth on and off, but never found any documentation, usage 
> examples etc. on it. Can you tell us more about it?

You should have come to the portable packaging system talk at
EuroBSDCon 2004 in Karlsruhe, where I explained about using digital
signatures in pkg_add.

The NetBSD Update talk from Usenix 2004 in Boston, which was
referenced from your blog, includes a screenshot showing an addition
of a digitally-signed package.

pkg_add(1) contains the following text:

     -s verification-type
             Use a callout to an external program to verify the binary package
             being installed against an existing detached signature file.  The
             signature file must reside in the same directory as the binary
             package.  At the present time, the following verification types
             are defined: none, gpg and pgp5.  The signature will be verified
             at install time, and the results will be displayed.  If the sig-
             nature type is anything other than none, the user will be asked
             if pkg_add should proceed to install the binary package.  The
             user must then take the decision whether to proceed or not,
             depending upon the amount of trust that is placed in the signa-
             tory of the binary package.  Please note that, at the current
             time, it is not possible to use the verification feature when
             using pkg_add to add a binary package via a URL - the package,
             and the related detached signature file, must be local for the
             verification to work.

To make a digital signature of a binary package is very simple:

	% gpg -b <binary-package-name>

will make the detached signature file.

The following is an example of (a) signing a binary package, and then
(b) the addition of that digitally-signed binary package.

[16:39:34] agc@sys3 ~ 25 > gpg -b zsh-4.2.1.tgz 

You need a passphrase to unlock the secret key for
user: "Alistair Crooks <>"
2048-bit RSA key, ID C0596823, created 2004-01-12

[16:39:52] agc@sys3 ~ 26 > ls -al zsh*
-rw-r--r--  1 agc  agc  1614194 Jan 23 16:34 zsh-4.2.1.tgz
-rw-r--r--  1 agc  agc      280 Jan 23 16:39 zsh-4.2.1.tgz.sig
[16:40:00] agc@sys3 ~ 27 > priv pkg_add -s gpg zsh-4.2.1.tgz
pkg_add: Using signature file: /home/agc/./zsh-4.2.1.tgz.sig
gpg: Signature made Sun Jan 23 16:39:51 2005 GMT using RSA key ID C0596823
gpg: Good signature from "Alistair Crooks <>"
gpg:                 aka "Alistair Crooks <>"
gpg:                 aka "Alistair Crooks <>"
gpg:                 aka "Alistair Crooks <>"
Proceed with addition of /home/agc/./zsh-4.2.1.tgz: [y/n]? y
Executing '/bin/mkdir -p /usr/pkg/share/zsh/site-functions'
===> Updating /etc/shells

$NetBSD: MESSAGE,v 1.1 2001/10/31 22:27:02 zuntum Exp $

`/usr/pkg/share/doc/zsh/NEWS' contains a summary of important changes
for this version of zsh.

Note that the completion system can now be setup and configured using
the "compinstall" function.  Please read the zshcompsys(1) manual page
for information on how this works.


[16:40:34] agc@sys3 ~ 28 >