pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc signature verification?

6E7368 <> writes:

> Thanks Greg, it's been a while since I've been on a mailing list and I
> didn't think of it as a platform-specific question. I'm on a fresh
> install of netbsd 9.0 on a rpi3b+ with sources from
> without any configuration besides users, passwords, hostname and
> disabling sshd.

And presumably you are using packages from

> I don't know if this is the best place to ask this, but shouldn't
> pkgsrc check for netpgpverify in $PATH and use that by default if it's
> there? Or at least print something to stdout? I remember a message
> printed about installing gnupg to verify downloads but it said nothing
> about netpgpverify. (I've rebooted since and I don't have shell
> history saved).

There are signatures on the base system sets.

"pkgsrc" doesn't check;  pkgsrc is a set of files that allow one to
build packages from source.

What I think you are asking is "why isn't pkg_add, that is part of the
base system I installed", looking for netpgpverify and deciding to
verify things (which means refusing to install unverified things)?"  The
answer is basically that you can't verify a signed package with just a
program -- you also need to have the public key.

If you had a set of signed packages, and the public key, you could
configure pkg_add to verify them.  This is described, confusing, in

Signing packages is easy for one person, and the difficulty appears to
be proportional to the number of people in the organization raised to
the 0.7 power :-)

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index