Obstacles to get signed binary pkgs

[Martin Husemann <martin%duskware.de@localhost>]

I know that some here assume all of this as solved problems, but somehow
the knowledge about the solution, or details, or documentation - or
whatever - did not end up in the hands of the right people.

Last time I asked stupid questions about signed binaries, I was pointed at
issues with netbsd-7 and its pkg_install (and friends). Ok, I did wait for
NetBSD 9.0 being around the corner [RC2 later today!] and asked again.

It seems we will not get signed pkgs soon, as a few things are still
unclear.

First the obvious question: can netgpp(1) be used by pkg_* to verify
binary pkgs? If so, what setup is needed? If not: could that please be
added?

Second question: assuming I start from scratch, how do I verify the first
binary pkg I install (which likely will be gpg, so I can verify pkgs)?

Now on the other side: assuming I do bulk pkg builds with pbulk, what do
I need to setup to get binary pkgs signed? Where is a step-by-step 
documentation? Are there any administrative things that TNF needs to
decide or provide?

And the answer I personally was looking for when I started asking around
recently: what would need to be added to base system installers (like
public keys...) and/or what changes would sysinst need to make this
easy for a new installation?


It would be great if we had a wiki page 

  (a) for open issues that need to be solved untill this can happen
  (b) a step by step guide for everyone starting a bulk build who wants
      to sign things

And it would be super cool if we could make it happen before NetBSD 10.0
(or when we make it happen restart the 9.x pkg builds from scratch).

Martin