On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote:
> 2014-02-04 Kim Twain <[email protected]>:
> > Does pkg_add automatically check these signatures, or, as of now, I'd need
> > to manually download the packages, verify them with signify and then install
> > them locally with pkg_add?
>
> from man pkg:
>
> If a package is digitally signed:
>
> o pkg_add checks that its packing-list is not corrupted and matches the
> cryptographic signature stored within.
>
> o pkg_add verifies that the signature was emitted by a valid user
> certificate, signed by one of the authorities in /etc/ssl/pkgca.pem
>
> o pkg_add verifies that each file matches its sha256 checksum right
> after extraction, before doing anything with it.
>
> o pkg_add verifies that any dangerous mode or owner is registered in
> the packing-list.
>
> more:
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
>
> Daniel
I believe that in -current, the pubkey comes from /etc/signify.
-Otto
