DISTFILES signature verification

[Adrian Portelli <adrianp%stindustries.net@localhost>]

Hi,

Quite a while ago (I think it was pkgsrccon '06) I demo'ed a small
addition to pkgsrc that would allow for verification of detached
signatures of ${DISTFILES} using gpg.  To get this working you need to
enable it using the global switch and unless you want to manually add
the keys to your keyring I'd also suggest letting gpg automagically
download any missing sigs.  You can set all this up by specifying the
following in your mk.conf:

VERIFY_SIG=             yes
VERIFY_AUTOFETCH=       yes

By default this will add any signatures to ~/.gnupg, again if you don't
want to mess with your default keyring you can tell gpg to use a keyring
located elsewhere:

VERIFY_SIG_ARGS=        --verify --batch --homedir=/tmp

The easiest way to test all this is to add HAS_SIG=yes to any package
that has a .sig file located at ${MASTER_SITES} called
${DISTFILE}${VERIFY_SIG_EXTN} (e.g. mail/sendmail).

From then just doing the usual 'make' will download and verify the .sig.
 Everything is probably better explained in the comments in the top of
verify-sig.mk.

To get this all going just drop verify.sig.mk in your mk/ directory and
apply the patches here:

http://www.stindustries.net/NetBSD/stuff/verify-sig/

Comments ?

adrian.