Subject: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <email@example.com>
From: Hubert Feyrer <firstname.lastname@example.org>
Date: 07/22/2005 11:41:17
On Fri, 22 Jul 2005, Curt Sampson wrote:
> For pkg_add, how does this sound?
In the process of creating the +CONTENTS file from the PLIST (in
pkg_create) we calculate MD5 checksums of all files right now, so that may
be a possible point to add that signing.
I think there's a difference if you sign every file in an archive, or the
archive as a whole, and as such I'm not sure this approach is good enough.
I think the -s thing could be automated to just look for a .sig file
besides the .tgz/.tbz file, and do verify when found. Care should be taken
that this does work on local storage as well as via ftp & http (-s
currently does only work for local storage AFAIK).