2014-02-04 Kim Twain <[email protected]>: > Does pkg_add automatically check these signatures, or, as of now, I'd need > to manually download the packages, verify them with signify and then install > them locally with pkg_add?
In -current, if you don't use any flags to pkg_add, and you don't see any message at the end, the packages were signed and verified. (and by default, post 5.5, pkg_add will probably error out if the packages are not signed if you don't use -Dunsigned !) Maybe you're already using signed packages and haven't noticed. (there were two or hiccups in some snapshots, but apart from that, things have been working great). Getting a streamlined process WAS the difficult part in getting signed packages out, NOT the technical feat of having signed packages... After all, pkg_create/pkg_add has known how to sign stuff for 3 years by now. signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors -> stuff that works most of the time -> more trustworthy. Remember that message about ssh keys that changed that you used to get when admins weren't savvy about getting keys around, or all those self-signed https certificates you've been trained to ignore ? signatures are the same. if they're not 100% present by default, people will be trained to ignore them. If you think security is a technicality, you only have 1/3rd of the story. Getting the process right and making sure the users don't do anything stupid is the right part.
