Setting up SIGNATURE_TYPE: PUBKEY in a custom repository

[Matthew Pounsett]

I’m setting up a local package repository using PGP signatures for verification.  The man page for pkg.conf says that the option “PUBKEY” (for setting the path to the public key) is deprecated, but fails to mention what the new method for managing this is.   I’ve tried googling about this, but all I find is people still having problems with PACKAGESITE in the default pkg.conf (still think it’s amusing that pkg installs a default config file it can’t use).

pkg seems to accept SIGNATURE_TYPE: PUBKEY, and a PUBKEY path, but it is not actually doing any signature verification.  I can test this by deleting the public key from the client machine where this config resides, and pkg produces no errors.

Can anyone point me to real (current) documentation for setting this up?

Thanks!