Subject: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <>
From: Hubert Feyrer <>
List: tech-pkg
Date: 07/22/2005 11:41:17
On Fri, 22 Jul 2005, Curt Sampson wrote:
> For pkg_add, how does this sound?

In the process of creating the +CONTENTS file from the PLIST (in 
pkg_create) we calculate MD5 checksums of all files right now, so that may 
be a possible point to add that signing.


I think there's a difference if you sign every file in an archive, or the 
archive as a whole, and as such I'm not sure this approach is good enough.

I think the -s thing could be automated to just look for a .sig file 
besides the .tgz/.tbz file, and do verify when found. Care should be taken 
that this does work on local storage as well as via ftp & http (-s 
currently does only work for local storage AFAIK).

  - Hubert