Re: pkg_info -X: Add FILE_CKSUM (sha256)

To: Taylor R Campbell <riastradh%netbsd.org@localhost>
Subject: Re: pkg_info -X: Add FILE_CKSUM (sha256)
From: Thomas Klausner <wiz%netbsd.org@localhost>
Date: Thu, 15 Jan 2026 23:36:36 +0100

On Tue, Jan 06, 2026 at 03:59:36AM +0100, Taylor R Campbell wrote:
> The pkg_summary(5) file documents the following syntax:
> 
>      FILE_CKSUM
>              (optional) A checksum type supported by digest(1) and checksum
>              separated by space character.
> 
> But it was apparently never implemented in `pkg_info -X'.  This patch
> implements it, with SHA256 for now.
> 
> This allows a client to verify that the .tgz file it got by reference
> from a pkg_summary is the same as the one the pkg_summary meant.
> This is important for detecting version rollback attacks -- signing
> the package itself doesn't help.  (Patch to pkgin to verify the hashes
> coming.)
> 
> pkg_install already uses the NetBSD sha2(3) API in pkg_admin, so this
> brings in no new library dependencies.  (Any other hash might.)
> 
> OK?

The patch looks fine. I'm just curious about one thing:

Are there any common tasks that call 'pkg_info -X' and will now be
slowed down because every file listed in the summary file will now be
read?

Thanks,
 Thomas

Follow-Ups:
- Re: pkg_info -X: Add FILE_CKSUM (sha256)
  - From: Jonathan Perkin
- Re: pkg_info -X: Add FILE_CKSUM (sha256)
  - From: Taylor R Campbell

References:
- pkg_info -X: Add FILE_CKSUM (sha256)
  - From: Taylor R Campbell

Prev by Date: Re: gcc.mk issue
Next by Date: Re: Latest AIX Status: bootstrap fails with gcc 13
Previous by Thread: pkg_info -X: Add FILE_CKSUM (sha256)
Next by Thread: Re: pkg_info -X: Add FILE_CKSUM (sha256)
Indexes:

Home | Main Index | Thread Index | Old Index