2014-02-04 Kim Twain <[email protected]>:
> Does pkg_add automatically check these signatures, or, as of now, I'd need
> to manually download the packages, verify them with signify and then install
> them locally with pkg_add?
from man pkg:
If a package is digitally signed:
o pkg_add checks that its packing-list is not corrupted and matches the
cryptographic signature stored within.
o pkg_add verifies that the signature was emitted by a valid user
certificate, signed by one of the authorities in /etc/ssl/pkgca.pem
o pkg_add verifies that each file matches its sha256 checksum right
after extraction, before doing anything with it.
o pkg_add verifies that any dangerous mode or owner is registered in
the packing-list.
more:
http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
Daniel
