Does pkg check signatures?

Yuri yuri at
Wed Jan 15 02:44:43 UTC 2014

On 01/14/2014 05:48, Baptiste Daroussin wrote:
> secteam doesn't seem to agree with you, talk to them.

Since I didn't find any documentation on how security of package 
transfer works, I did some debugging and learned from there.

The files downloaded from repository are gzipped tar archive with .txz 
extension, and contain 3 files inside. For example, if the file is 
mydist.txz, it would be contain these files:
* -- RSA public key, always the same in all archives
* mydist.sig -- 256 byte binary RSA signature of mydist file
* mydist -- the payload file

The fingerprint file 
/usr/share/keys/pkg/trusted/ contains the 
SHA256 hash of the .pub file from all .txz archives. So that all those 
.pub files are the same, and the secret key is merely its verification 
fingerprint. .sig file is the RSA signature of the payload file. 
Verification of mydist payload is done using .pub certificate.

So this whole process appears to be secure. What confused me is the term 

The only question that I still have is this:  Why this "fingerprint" is 
introduced here? Why not just store the corresponding .pub file over 
there as a trusted key? Since this public key is what is used for 
verification, and there is 1-1 relationship, unless sha256 gets broken. 
Eliminating one concept would have made this system simpler, and 
wouldn't have required to have "fingerprint" term there.


More information about the freebsd-pkg mailing list