Subject: Re: little hacking project: bulk build checksums
To: None <>
From: Jan Schaumann <>
List: tech-pkg
Date: 01/23/2005 12:04:19
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Alistair Crooks <> wrote:
> On Sun, Jan 23, 2005 at 03:56:35AM +0100, Hubert Feyrer wrote:
> > On Sun, 23 Jan 2005, grant beattie wrote:
> > >we have the ability to cryptographically sign binary packages, which
> > >can be automatically verified by pkg_add.
> >=20
> > I hear that myth on and off, but never found any documentation, usage=
> > examples etc. on it. Can you tell us more about it?
> pkg_add(1) contains the following text:
>      -s verification-type
>              Use a callout to an external program to verify the binary pa=
>              being installed against an existing detached signature file.=
>              signature file must reside in the same directory as the bina=
>              package.  At the present time, the following verification ty=
>              are defined: none, gpg and pgp5.


> To make a digital signature of a binary package is very simple:
> 	% gpg -b <binary-package-name>
> will make the detached signature file.

Which, however, brings back the problem of not having a PGP tool in the
base system.  Our pkg tools should not rely on third-party software for
the verification or creation of signatures.

For that reason, I would probably tend more torwards the openssl
approach, be it based on smime file signing or certificates.  I would
assume that it would be beneficial for the project to have a cert it
could ship with in the base system.

Alas, I feel we're rehashing the discussion from last May
( -- as was pointed
out to me in this thread elsewhere).


I always said there was something fundamentally wrong with the universe.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)