Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Feb 2001 02:20:59 -0800
From:      Jeremy Lea <reg@FreeBSD.org>
To:        Wes Peters <wes@FreeBSD.org>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/pkg_install/sign Makefile README check.c common.c extern.h gzip.c gzip.h main.c pgp.h pgp_check.c pgp_sign.c pkg_sign.1 sha1.c sign.c stand.c stand.h x509.c
Message-ID:  <20010206022059.G8780@shale.csir.co.za>
In-Reply-To: <200102060646.f166kgf65013@freefall.freebsd.org>; from wes@FreeBSD.org on Mon, Feb 05, 2001 at 10:46:42PM -0800
References:  <200102060646.f166kgf65013@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

On Mon, Feb 05, 2001 at 10:46:42PM -0800, Wes Peters wrote:
>   Add package signing utilities; somebody might actually want them.
>   These are not enabled in the pkg_install Makefile as of yet;
>   adding the "sign" directory to the SUBDIR list will enable
>   building of sign.

I've been giving this problem some thought, and I think that this is
implemented in the wrong place:  In pkg_add we don't see the gzip'ed
tarball - it's piped directly into tar.  Also, if we change the
packaging format, we have to change the means of signing.

We have a packaging list, which contains MD5 checksums for all of our
files (well not all in the current version, but all in my development
version).  The packaging list is not self referenced in the packaging
list - since all packages must have one.  Thus the packing list by its
self is a certificate for the rest of the package - and we can use a
standard text based signature, attached to the packaging list, as a
verification of the entire package.  This could be included as a
seperate file (which would not be listed in the packaging list, or as a
@comment at the end of the list.

This way we would not have to play special tricks with the tarballs.

We will still need a key management protocol for the package tools
though.  I'll take a look at this code and see what I can merge in with
my development version of the pkg_* tools.

Regards,
 -Jeremy

-- 
FreeBSD - Because the best things in life are free...
                                           http://www.freebsd.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010206022059.G8780>