Re: CVS commit: src/usr.bin/nbsvtool

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Tue, Jul 15, 2008 at 12:56:46AM +0200, Hubert Feyrer wrote:
> While there, this makes me wonder how verification of signatures via  
> FTP/HTTP is intended. does pkg_add automatically download the .sp7 (==  
> checksum?) file? How does nbsvtool integrate with pkg_add, at all?

pkg_add in HEAD supports only GPG and only for local packages.
pkg_add on pkg_install-renovation wraps the package with a signature
header. The signature itself is the same format as nbsvtool can handle.
So most of the description here would apply for pkg_admin and
pkg_install.conf(5) as well.

But this is not about pkg_add.

>>      -a anchor-certificates        A file containing one or more (concate-
>>                                    nated) keys that are considered trusted.
>
> Details! What kind of files, where do they come from, how does one create 
> them?

PEM format as written in the other mail. You obtain them through some
not yet specificed means or as part of the system installation --> this
is part of the non-existing policy.

> This also goes for all other files - at least giving a hint via a 
> filename suffix may help a bit.

All files are expected to be PEM encoded. It is the default output used
for example by the CA.sh script.

> The EXAMPLES section sounds useful from the remote, but it needs more  
> steps to get to a point where it can be used. Setup of the CA and 
> whatever else needs to be done should be documented - not in this 
> manpage, I guess, as other parts (postfix? ldap? httpd? ...?) may need 
> the same knowledge. Put this into a common manpage, and reference it!

I don't think a man page is the right place to describe how to setup a
CA. /usr/share/examples/openssl/CA.sh can do most of that, but it is
ugly.

> I don't get the difference here. Is it only the filename? Why use  
> "verify-code" in one place, and "-u code verify" in the other place? And 
> what is "code" anyways, in the latter example?

"code" is an attribute of the certificate used. The filename is the only
difference, otherwise the two samples are equivalent.

> That file seems to describe something similar as the manpage at hands, 
> yet it also lacks the steps to setup the whole process (it seems to me).

No surprise as nbsvtool is supposed to make usage easier, e.g. by
providing only a restricted subset of openssl/smime.

Joerg