Am 01.10.2022 um 22:18 schrieb Jonathan Perkin:
* On 2022-10-01 at 21:07 BST, Roland Illig wrote:My next step was to run 'man pkg_install.conf', as indicated by the 'SEE ALSO' section in 'man pkg_info'. There, I found that I could disable the verification. What was missing was the information about how to properly set up package verification.You need to set GPG_KEYRING_VERIFY to point to a keyring file that contains the public key used to sign the packages.
I solved the problem by starting from scratch, following the instructions on https://pkgsrc.joyent.com/install-on-netbsd/. I don't know where the key ID comes from. I tried this: $ netpgpkeys --list-keys --keyring=/usr/pkg.old/etc/gnupg/pkgsrc.gpg 1 key found "pub" 4096/"RSA (Encrypt or Sign)" "60115c645d402cc3" 2020-07-21 Key fingerprint: "c100 ee37 7b92 1a0d 477e 5dde 6011 5c64 5d40 2cc3 " uid "Joyent Package Signing (NetBSD) <pkgsrc%joyent.com@localhost>" "" encryption 4096/"RSA (Encrypt or Sign)" "96c4af7fb9d919f5" 2020-07-21 This doesn't look like the b5952cabdd765a20 from the subject. $ netpgpkeys --list-keys --keyring=/usr/pkg/etc/gnupg/pkgsrc.gpg 1 key found "pub" 4096/"RSA (Encrypt or Sign)" "b5952cabdd765a20" 2022-06-30 Key fingerprint: "01b6 9b67 8d9c 79df a3a2 71af b595 2cab dd76 5a20 " uid "MNX Cloud Package Signing (NetBSD) <pkgsrc+netbsd%smartos.org@localhost>" "" encryption 4096/"RSA (Encrypt or Sign)" "58ae85f6c72658c9" 2022-06-30 The newly downloaded bootstrap kit contains the correct key though. I wonder where the old key came from or how I could find out more about that old key, given only its key ID. There's still a lot of work to be done until signed binary packages are user-friendly. Having the packages signed is something I really like though. I regard it as a basic requirement rather than a feature. Roland