6E7368 <6E7368%protonmail.com@localhost> writes: > Thanks Greg, it's been a while since I've been on a mailing list and I > didn't think of it as a platform-specific question. I'm on a fresh > install of netbsd 9.0 on a rpi3b+ with sources from anoncvs.netbsd.org > without any configuration besides users, passwords, hostname and > disabling sshd. And presumably you are using packages from ftp.netbsd.org. > I don't know if this is the best place to ask this, but shouldn't > pkgsrc check for netpgpverify in $PATH and use that by default if it's > there? Or at least print something to stdout? I remember a message > printed about installing gnupg to verify downloads but it said nothing > about netpgpverify. (I've rebooted since and I don't have shell > history saved). There are signatures on the base system sets. "pkgsrc" doesn't check; pkgsrc is a set of files that allow one to build packages from source. What I think you are asking is "why isn't pkg_add, that is part of the base system I installed", looking for netpgpverify and deciding to verify things (which means refusing to install unverified things)?" The answer is basically that you can't verify a signed package with just a program -- you also need to have the public key. If you had a set of signed packages, and the public key, you could configure pkg_add to verify them. This is described, confusing, in pkg_install.conf(5). Signing packages is easy for one person, and the difficulty appears to be proportional to the number of people in the organization raised to the 0.7 power :-)
Attachment:
signature.asc
Description: PGP signature