>For pkg_add, how does this sound?

I'm late to the party again, but fwiw, I've been using "signed" packages at
work for sometime.  This is typically done as a wrapper package - that contains
the original .tgz and a .tgz.sig and the bits needed to verify it.
Customers can only access the "signed" packages btw.

For more recent packaging, the .sig's are an integral part of the packaging
and are verified by the +INSTALL script.  

Even more recently, I replaced pkg_add with a rather simple shell script (does 
all the pkg_add functionality that we use), with the big difference being that
it insists on verifying the .sig's before even running the +REQUIRE.
That's rather important for FIPS compliance...

BTW, updating pkg_* to use sha1 hashes (or better yet sha2) rather than md5 
would be a useful improvement.

--sjg