Can you tell how to do the verification "manually" (using openssl?)
for all our openssl-neophytes out there that don't want to install a
package (or even run netbsd/pkgsrc) to check the signature?
It is a bit tricky as the signatures are created in a way to allow
streaming installation from FTP. A signed package is normally an
ar(1)chive, containing three entries:
+PKG_HASH
+PKG_SIGNATURE
pkg.tgz
(the latter just named after the package). It doesn't really really if
it is ar(1) or some other supported archive format, but it does care
about the order.
The third file should be obvious. The second file is the PKCS7 signature
of the first, it can be validated e.g. with nbsvtool(1). The first file
is the description of the package. It looks for example like:
--- cut here ---
pkgsrc signature
version: 1
pkgname: digest-20070803
algorithm: SHA512
block size: 65536
file size: 36854
4ba682e9c01e6fc31d5e8e84cb6d4a8b0c85f9df0f7cd30510ec2ee30d48b598a7e3b8adfa2ca06df5a48b22a0831ab89367e8a81f40366055a39f45728139a3
end pkgsrc signature
--- cut here ---
The last part before "end pkgsrc signature" is the hash of each blocks.
Validated this is the tricky part, it will require some use of split(1)
or so :-) It is not recommented to create the files by hand as the
parser is pretty dumb^Wstrict.