About a week ago, we switched to the new signing scheme by default.
There are good reasons to bury the old signing scheme completely, so
this is what's currently happening, there are some rough edges.
Technically speaking, the new signatures are "outside", they're in
the gzip header, and the only thing that sees them is signify -Zs.
pkg_add/fw_update only ever sees "safe" input, so that all the data
that will be gunzip'd/untared is already checked.
This has some rough edges.
- old snapshots will not see the new signatures at all (this is still
a gzip archive with transparent information) and report everything as
unsigned.
- the new scheme is slightly more unflexible with respect to unsigned
data: by default, every .tgz is piped thru signify -Zs, so
pkg_add/pkg_info/fw_update WON'T even see any data if it's not signed.
Error reporting is inadequate, to say the least. I'm working on fixing
that, but there is some code I do not like, so there is a great deal of
rewrite.
- I'm still in the process of taking out old signatures entirely. Pretty
soon, the only place it will still be around is that packing-lists may
still contain old signatures... necessary for old installed packages that
don't change that often. Again, rough edges.
- I'm working on ways to mix unsigned and signed packages in a sane way.
I've added TRUSTED_PKG_PATH, and I will have a mechanism that says
some sources are safe (/usr/ports/packages/%a/all, for instance).
This is unnecessary if you only install official binary stuff, but it is
necessary for development or for people who really want to tinker with
their machines.
- pkg_sign lost the ability to sign distant sources temporarily.
