Does pkg check signatures?
Yuri
yuri at rawbw.com
Tue Jan 14 12:42:55 UTC 2014
On 01/14/2014 04:10, Matthew Seaman wrote:
> pkg is fully capable of checking cryptographic signatures if configured
> to do so. Specifically you need 'signature-type' and 'fingerprints'
> defined in your repo.conf
>
> Try using the standard /etc/pkg/FreeBSD.conf available here:
>
> http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log
>
> and the public key in /usr/share/keys/pkg available here:
>
> http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log
I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf
is like this:
---begin---
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
---end---
and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like
this:
---begin---
# $FreeBSD$
function: "sha256"
fingerprint:
"b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
---end---
'pkg install' reads the first file, doesn't read the second file, and
succeeds downloading and installing a package. Something is wrong.
Which file is this fingerprint for? Every downloaded file should have
individual signature downloaded with it.
Yuri
More information about the freebsd-pkg
mailing list