>> For pkg_add, how does this sound?

>In the process of creating the +CONTENTS file from the PLIST (in 
>pkg_create) we calculate MD5 checksums of all files right now, so that may 
>be a possible point to add that signing.

I would actually be nice if there were a +CONTENTS.sig, so that one could 
verify that all files mentioned in the +CONTENTS are present and correct.

>I think there's a difference if you sign every file in an archive, or the 
>archive as a whole, and as such I'm not sure this approach is good enough.

In the case of signing individual files (and perhaps providing older 
verification methods such as .md5's or .sha1's), it is still useful
to have an overall .sig to prove that nothing has been added or removed 
from the .tgz.   A +CONTENTS.sig would serve that purpose nicely.

--sjg