Does pkg check signatures?

[Baptiste Daroussin]

On Tue, Jan 14, 2014 at 04:42:54AM -0800, Yuri wrote:
> On 01/14/2014 04:10, Matthew Seaman wrote:
> > pkg is fully capable of checking cryptographic signatures if configured
> > to do so.  Specifically you need 'signature-type' and 'fingerprints'
> > defined in your repo.conf
> >
> > Try using the standard /etc/pkg/FreeBSD.conf available here:
> >
> > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log
> >
> > and the public key in /usr/share/keys/pkg available here:
> >
> > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log
> 
> I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf 
> is like this:
> ---begin---
> FreeBSD: {
>    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
>    mirror_type: "srv",
>    signature_type: "fingerprints",
>    fingerprints: "/usr/share/keys/pkg",
>    enabled: yes
> }
> ---end---
> 
> and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like 
> this:
> ---begin---
> # $FreeBSD$
> 
> function: "sha256"
> fingerprint: 
> "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
> ---end---
> 
> 'pkg install' reads the first file, doesn't read the second file, and 
> succeeds downloading and installing a package. Something is wrong.
> Which file is this fingerprint for? Every downloaded file should have 
> individual signature downloaded with it.
> 
What is signed is the catalog which contains the hash of all the available
packages.

So the signature is only checked during pkg update in case the database is being
updated not during package installation because it the not needed, the fetched
packages are tested agains their hash.

regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20140114/4f5be8ab/attachment.sig>