Re: pkgsrc signature verification?

[6E7368 <6E7368%protonmail.com@localhost>]

Thanks again Greg. Out of curiosity, what's the rational for not including the keyring with the installation media?


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, August 25, 2020 5:01 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:

> 6E7368 6E7368%protonmail.com@localhost writes:
>
> > Thanks Greg, it's been a while since I've been on a mailing list and I
> > didn't think of it as a platform-specific question. I'm on a fresh
> > install of netbsd 9.0 on a rpi3b+ with sources from anoncvs.netbsd.org
> > without any configuration besides users, passwords, hostname and
> > disabling sshd.
>
> And presumably you are using packages fromftp.netbsd.org.
>
> > I don't know if this is the best place to ask this, but shouldn't
> > pkgsrc check for netpgpverify in $PATH and use that by default if it's
> > there? Or at least print something to stdout? I remember a message
> > printed about installing gnupg to verify downloads but it said nothing
> > about netpgpverify. (I've rebooted since and I don't have shell
> > history saved).
>
> There are signatures on the base system sets.
>
> "pkgsrc" doesn't check; pkgsrc is a set of files that allow one to
> build packages from source.
>
> What I think you are asking is "why isn't pkg_add, that is part of the
> base system I installed", looking for netpgpverify and deciding to
> verify things (which means refusing to install unverified things)?" The
> answer is basically that you can't verify a signed package with just a
> program -- you also need to have the public key.
>
> If you had a set of signed packages, and the public key, you could
> configure pkg_add to verify them. This is described, confusing, in
> pkg_install.conf(5).
>
> Signing packages is easy for one person, and the difficulty appears to
> be proportional to the number of people in the organization raised to
> the 0.7 power :-)