Does pkg check signatures?

Yuri yuri at
Tue Jan 14 12:42:55 UTC 2014

On 01/14/2014 04:10, Matthew Seaman wrote:
> pkg is fully capable of checking cryptographic signatures if configured
> to do so.  Specifically you need 'signature-type' and 'fingerprints'
> defined in your repo.conf
> Try using the standard /etc/pkg/FreeBSD.conf available here:
> and the public key in /usr/share/keys/pkg available here:

I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf 
is like this:
FreeBSD: {
   url: "pkg+${ABI}/latest",
   mirror_type: "srv",
   signature_type: "fingerprints",
   fingerprints: "/usr/share/keys/pkg",
   enabled: yes

and file /usr/share/keys/pkg/trusted/ is like 
# $FreeBSD$

function: "sha256"

'pkg install' reads the first file, doesn't read the second file, and 
succeeds downloading and installing a package. Something is wrong.
Which file is this fingerprint for? Every downloaded file should have 
individual signature downloaded with it.


More information about the freebsd-pkg mailing list