Subject: Re: BPG call for use cases
To: Simon J. Gerraty <>
From: Curt Sampson <>
List: tech-security
Date: 07/31/2005 13:51:36
On Sat, 30 Jul 2005, Simon J. Gerraty wrote:

> I'm late to the party again, but fwiw, I've been using "signed"
> packages at work for sometime. This is typically done as a wrapper
> package - that contains the original .tgz and a .tgz.sig and the bits
> needed to verify it. Customers can only access the "signed" packages
> btw.
> For more recent packaging, the .sig's are an integral part of the
> packaging and are verified by the +INSTALL script.

Can you explain the details of how you're doing this?

(I've added tech-pkg to the list; there's been a fair amount of
discussion there about different ways of implementing this.)

> Even more recently, I replaced pkg_add with a rather simple shell
> script (does all the pkg_add functionality that we use), with the big
> difference being that it insists on verifying the .sig's before even
> running the +REQUIRE. That's rather important for FIPS compliance...

I'll keep that in mind.

> BTW, updating pkg_* to use sha1 hashes (or better yet sha2) rather
> than md5 would be a useful improvement.

I've been anticipating a generic archive signing mechanism that would
let you use your choice of as many different hash types as you want, a
la pkgsrc distinfo files.

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA