Subject: Re: [agc@netbsd.org: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-pkg
Date: 10/03/2001 18:55:04
> I wonder if it was possible to make the signature part of the +-files, and
> if present do the sigature checking?  Just like what we do for +MESSAGE
> files etc.

It would make verifying the signature a bit messy, since the signature
obviously couldn't cover the +SIGNATURE file; you'd have to be able to
reconstruct the tarball as it was without the +SIGNATURE.

An alternate approach would be to double-wrap things -- have a tarball
containing the package tarball and a +SIGNATURE file, and then unwrap
the inner tarball if the signature verifies.