On Wed, 2001-10-03 at 09:50, Alistair Crooks wrote:
> On Tue, Oct 02, 2001 at 11:05:31PM -0700, Simon Gerraty wrote:
> > >At the moment, the ability to verify packages is limited to those
> > >which are not specified by URL. We are looking at removing this
> > >restriction.
> > 
> > Is this because the signatures are delivered separately?  What about a
> > "pkg" that wraps the .tgz and its signature into one file?  The
> > pkg_add of such a thing (.stgz or whatever) would involve unpacking
> > the .tgz and .sig, verifying the signature, and if ok carrying on with
> > the .tgz.
> 
> The ability for a binary package to be installed using pax or tar is
> still a big win, as it can get you out of those delicate little "in
> extremis" situations. That's why we decided to detach the signature.
> But, yes, we're still looking at removing this restriction.

gzip and pax should both deal fine with having the signature tacked on
the end.

BTW, does it prompt you when there *isn't* a signature attached?