On Sun, Jan 23, 2005 at 12:04:19PM -0500, Jan Schaumann wrote:
> Alistair Crooks <agc@pkgsrc.org> wrote:
> > pkg_add(1) contains the following text:
> > 
> >      -s verification-type
> >              Use a callout to an external program to verify the binary package
> >              being installed against an existing detached signature file.  The
> >              signature file must reside in the same directory as the binary
> >              package.  At the present time, the following verification types
> >              are defined: none, gpg and pgp5.
> 
> [...]
> 
> > To make a digital signature of a binary package is very simple:
> > 
> > 	% gpg -b <binary-package-name>
> > 
> > will make the detached signature file.
> 
> Which, however, brings back the problem of not having a PGP tool in the
> base system.  Our pkg tools should not rely on third-party software for
> the verification or creation of signatures.

The fact that gpg has a ghastly licence means that I implemented the
digital signatures (back in 2001) as a callout. I am not willing to
add gnupg to the base system (and there are others who have problems
with the trust model of gnupg).
 
> For that reason, I would probably tend more torwards the openssl
> approach, be it based on smime file signing or certificates.  I would
> assume that it would be beneficial for the project to have a cert it
> could ship with in the base system.

I've been talking to the NetBSD security-officer team and some others
within the project about the best way to do this, and I'm not
convinced that openssl is the way to go - bootstrapping it, for
example, would be a PITA.  In fact, the signature tool isn't the most
onerous thing right now - it's the CA policy.  I am currently working
on this, and I hope that it will make the 3.0 cutoff date.

More as it happens...
 
Regards,
Alistair