Re: CVS commit: src/usr.bin/nbsvtool

[Hubert Feyrer <hubert%feyrer.de@localhost>]

On Mon, 14 Jul 2008, Dieter Baron wrote:
> attached is an updated version of the man page, please review.

Looking at the rendered page:

>      sign file                         Sign file, placing the signature in
>                                        file .sp7.  The options -f and -k are

There's an extra space between "file" and ".sp7" here.


>      verify file [signature]           Verify signature for file.  If
>                                        signature is not specified, file .sp7

Same here.

While there, this makes me wonder how verification of signatures via 
FTP/HTTP is intended. does pkg_add automatically download the .sp7 (== 
checksum?) file? How does nbsvtool integrate with pkg_add, at all?


>      verify-code file [signature]      This is a short cut for verify with the
>                                        option --u code.

Are the two dashes intended?


>      -a anchor-certificates        A file containing one or more (concate-
>                                    nated) keys that are considered trusted.

Details! What kind of files, where do they come from, how does one create 
them?

The writer of that manpage seems to assume a lot of knowledge that I doubt 
is available...

This also goes for all other files - at least giving a hint via a filename 
suffix may help a bit.

The EXAMPLES section sounds useful from the remote, but it needs more 
steps to get to a point where it can be used. Setup of the CA and whatever 
else needs to be done should be documented - not in this manpage, I guess, 
as other parts (postfix? ldap? httpd? ...?) may need the same knowledge. 
Put this into a common manpage, and reference it!

Details:

>      Verify that the signature hello.sp7 is valid for file hello
>       and that the certificate used allows code signing.
>            nbsvtool verify-code hello hello.sp7
>
>      Same as above, but for file file.
>            nbsvtool -u code verify file file.sp7

I don't get the difference here. Is it only the filename? Why use 
"verify-code" in one place, and "-u code verify" in the other place? 
And what is "code" anyways, in the latter example?


> SEE ALSO
>      openssl_smime(1)

That file seems to describe something similar as the manpage at hands, yet 
it also lacks the steps to setup the whole process (it seems to me).

Way to go until this is foolproof... :-(


 - Hubert