tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

DISTFILES signature verification


Quite a while ago (I think it was pkgsrccon '06) I demo'ed a small
addition to pkgsrc that would allow for verification of detached
signatures of ${DISTFILES} using gpg.  To get this working you need to
enable it using the global switch and unless you want to manually add
the keys to your keyring I'd also suggest letting gpg automagically
download any missing sigs.  You can set all this up by specifying the
following in your mk.conf:

VERIFY_SIG=             yes

By default this will add any signatures to ~/.gnupg, again if you don't
want to mess with your default keyring you can tell gpg to use a keyring
located elsewhere:

VERIFY_SIG_ARGS=        --verify --batch --homedir=/tmp

The easiest way to test all this is to add HAS_SIG=yes to any package
that has a .sig file located at ${MASTER_SITES} called
${DISTFILE}${VERIFY_SIG_EXTN} (e.g. mail/sendmail).

From then just doing the usual 'make' will download and verify the .sig.
 Everything is probably better explained in the comments in the top of

To get this all going just drop in your mk/ directory and
apply the patches here:

Comments ?


Home | Main Index | Thread Index | Old Index