tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Call for tests: pkg_install-renovation

On Mon, 26 May 2008, Joerg Sonnenberger wrote:
Can you tell how to do the verification "manually" (using openssl?)
for all our openssl-neophytes out there that don't want to install a
package (or even run netbsd/pkgsrc) to check the signature?

It is a bit tricky as the signatures are created in a way to allow
streaming installation from FTP. A signed package is normally an
ar(1)chive, containing three entries:
(the latter just named after the package). It doesn't really really if
it is ar(1) or some other supported archive format, but it does care
about the order.

The third file should be obvious. The second file is the PKCS7 signature
of the first, it can be validated e.g. with nbsvtool(1). The first file
is the description of the package. It looks for example like:

--- cut here ---
pkgsrc signature

version: 1
pkgname: digest-20070803
algorithm: SHA512
block size: 65536
file size: 36854

end pkgsrc signature
--- cut here ---

The last part before "end pkgsrc signature" is the hash of each blocks.
Validated this is the tricky part, it will require some use of split(1)
or so :-) It is not recommented to create the files by hand as the
parser is pretty dumb^Wstrict.

Thanks for the details. Did I understand your answer right as "you must have NetBSD (for nbsvtool(1) - whatever that is) installed" to verify the binary pkg's signature? Can't this be done with openssl(1)?

 - Hubert

Home | Main Index | Thread Index | Old Index