Subject: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <cjs@cynic.net>
From: Hubert Feyrer <hubert@feyrer.de>
List: tech-security
Date: 07/22/2005 11:41:17
On Fri, 22 Jul 2005, Curt Sampson wrote:
> For pkg_add, how does this sound?

In the process of creating the +CONTENTS file from the PLIST (in 
pkg_create) we calculate MD5 checksums of all files right now, so that may 
be a possible point to add that signing.

But!

I think there's a difference if you sign every file in an archive, or the 
archive as a whole, and as such I'm not sure this approach is good enough.

I think the -s thing could be automated to just look for a .sig file 
besides the .tgz/.tbz file, and do verify when found. Care should be taken 
that this does work on local storage as well as via ftp & http (-s 
currently does only work for local storage AFAIK).


  - Hubert