2014-02-04 Otto Moerbeek <[email protected]>:
> On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote:
>
> I believe that in -current, the pubkey comes from /etc/signify.
>
> -Otto
yes, but man pkg_sign:
-s signify|x509 [-s cert] -s privkey
Specify signature parameters for signed packages. Option
parameters are as follows:
signify|x509 choose signify(1) or X.509-style signatures.
cert the path to the signer's certificate (X.509 only)
privkey the path to the signer's private key. For
signify, the private key name is used to set the
@signer annotation. If a corresponding public
key is found, the first signatures will be
checked for key mismatches.
For X.509, the signer's certificate and the signer's private key
should be generated using standard openssl x509 commands. This
assumes the existence of a certificate authority (or several),
whose public information is recorded as a /etc/ssl/pkgca.pem
file.
http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_sign&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
I like signify, it is simple, small and secure (Ed25519).
Best,
Daniel
