On Tue, Nov 20, 2012 at 03:46:45PM +0000, Rodolfo Gouveia wrote:
> Hi all,
> So following the http://www.openbsd.org/faq//faq15.html#PkgSig
> I can see it's not mentioned that if you want to install
> signed built packages on another machine besides the one you
> built you have to copy /etc/ssl/pkgca.pem to it. Although it's
> mentioned on package(5) I think it would help if in the FAQ it
> said so.
> And is it possible to force or limit pkg_add just to add
> signed packages only?
Try this:
--- usr.sbin/pkg_add/OpenBSD/PkgAdd.pm (revision 10073)
+++ usr.sbin/pkg_add/OpenBSD/PkgAdd.pm (working copy)
@@ -660,24 +660,15 @@
$state->set_name_from_handle($handle, '+');
my $plist = $handle->plist;
if ($plist->is_signed) {
- if ($state->defines('nosig')) {
- $state->errsay("NOT CHECKING DIGITAL SIGNATURE
FOR #1",
- $plist->pkgname);
- $state->{check_digest} = 0;
- } else {
- require OpenBSD::x509;
+ require OpenBSD::x509;
- if (!OpenBSD::x509::check_signature($plist,
- $state)) {
- $state->fatal("#1 is corrupted",
- $set->print);
- }
- $state->{check_digest} = 1;
- $state->{packages_with_sig}++;
+ if (!OpenBSD::x509::check_signature($plist, $state)) {
+ die "Fatal: issues in ", $set->print;
}
+ $state->{check_digest} = 1;
+ $state->{packages_with_sig}++;
} else {
- $state->{packages_without_sig}{$plist->pkgname} = 1;
- $state->{check_digest} = 0;
+ die "Fatal: can't install unsigned packages: ",
$set->print;
}
}
}
--
Antoine
