On Sat, 30 Jul 2005, Simon J. Gerraty wrote:

> I'm late to the party again, but fwiw, I've been using "signed"
> packages at work for sometime. This is typically done as a wrapper
> package - that contains the original .tgz and a .tgz.sig and the bits
> needed to verify it. Customers can only access the "signed" packages
> btw.
>
> For more recent packaging, the .sig's are an integral part of the
> packaging and are verified by the +INSTALL script.

Can you explain the details of how you're doing this?

(I've added tech-pkg to the list; there's been a fair amount of
discussion there about different ways of implementing this.)

> Even more recently, I replaced pkg_add with a rather simple shell
> script (does all the pkg_add functionality that we use), with the big
> difference being that it insists on verifying the .sig's before even
> running the +REQUIRE. That's rather important for FIPS compliance...

I'll keep that in mind.

> BTW, updating pkg_* to use sha1 hashes (or better yet sha2) rather
> than md5 would be a useful improvement.

I've been anticipating a generic archive signing mechanism that would
let you use your choice of as many different hash types as you want, a
la pkgsrc distinfo files.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA