Subject: Re: little hacking project: bulk build checksums
To: None <tech-pkg@NetBSD.org>
From: Jan Schaumann <firstname.lastname@example.org>
Date: 01/23/2005 12:04:19
Content-Type: text/plain; charset=us-ascii
Alistair Crooks <email@example.com> wrote:
> On Sun, Jan 23, 2005 at 03:56:35AM +0100, Hubert Feyrer wrote:
> > On Sun, 23 Jan 2005, grant beattie wrote:
> > >we have the ability to cryptographically sign binary packages, which
> > >can be automatically verified by pkg_add.
> > I hear that myth on and off, but never found any documentation, usage=
> > examples etc. on it. Can you tell us more about it?
> pkg_add(1) contains the following text:
> -s verification-type
> Use a callout to an external program to verify the binary pa=
> being installed against an existing detached signature file.=
> signature file must reside in the same directory as the bina=
> package. At the present time, the following verification ty=
> are defined: none, gpg and pgp5.
> To make a digital signature of a binary package is very simple:
> % gpg -b <binary-package-name>
> will make the detached signature file.
Which, however, brings back the problem of not having a PGP tool in the
base system. Our pkg tools should not rely on third-party software for
the verification or creation of signatures.
For that reason, I would probably tend more torwards the openssl
approach, be it based on smime file signing or certificates. I would
assume that it would be beneficial for the project to have a cert it
could ship with in the base system.
Alas, I feel we're rehashing the discussion from last May
(http://mail-index.netbsd.org/tech-security/2004/05/ -- as was pointed
out to me in this thread elsewhere).
I always said there was something fundamentally wrong with the universe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----