pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc signature verification?



6E7368 <6E7368%protonmail.com@localhost> writes:

> Thanks Greg, it's been a while since I've been on a mailing list and I
> didn't think of it as a platform-specific question. I'm on a fresh
> install of netbsd 9.0 on a rpi3b+ with sources from anoncvs.netbsd.org
> without any configuration besides users, passwords, hostname and
> disabling sshd.

And presumably you are using packages from ftp.netbsd.org.

> I don't know if this is the best place to ask this, but shouldn't
> pkgsrc check for netpgpverify in $PATH and use that by default if it's
> there? Or at least print something to stdout? I remember a message
> printed about installing gnupg to verify downloads but it said nothing
> about netpgpverify. (I've rebooted since and I don't have shell
> history saved).

There are signatures on the base system sets.

"pkgsrc" doesn't check;  pkgsrc is a set of files that allow one to
build packages from source.

What I think you are asking is "why isn't pkg_add, that is part of the
base system I installed", looking for netpgpverify and deciding to
verify things (which means refusing to install unverified things)?"  The
answer is basically that you can't verify a signed package with just a
program -- you also need to have the public key.

If you had a set of signed packages, and the public key, you could
configure pkg_add to verify them.  This is described, confusing, in
pkg_install.conf(5).

Signing packages is easy for one person, and the difficulty appears to
be proportional to the number of people in the organization raised to
the 0.7 power :-)

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index