Christian Weisgerber wrote: > What's the best way to check the signatures and integrity of a bunch > of OpenBSD packages? pkg_add -n or -s do this, but they produce > too much unrelated spew. pkg_info does not check the signature. > > The CDs and FTP mirrors tend to have SHA256.sig files at the directory > level, but shouldn't there be an easy way to use the embedded > signatures for this?
If I'm not mistaken, pkg* will use the index.txt file to find matches, which is how "pkg_add vim" knows which vims to ask me about. Maybe it should use the SHA256.sig file instead? It contains all the necessary information (filenames) and is hardly any bigger. -rw-r--r-- 1 tedu tedu 697874 Feb 17 16:39 SHA256.sig -rw-r--r-- 1 tedu tedu 662931 Feb 17 16:39 index.txt I'm not sure what you're after, though. Do you want to check a mirror is good before downloading? Even the embedded signature requires downloading the full package to verify the contents are good. Checking SHA256.sig will be a little faster since it doesn't require unpacking and file by file comparison. An option to only check the signature on the plist would be interesting, though I'd be a little concerned that it may return success even though the package contents are wrong. BTW, I found a bug. Even pkg_add doens't check the +DESC file. I modified the DESC for colorls, and now I have this: > pkg_info colorls Information for inst:colorls-5.6p0 Comment: ls that can use color to display file attributes Description: It's a trap!!! I don't pkg_add should have installed that package. It's obvously a trap. :) pkg_info and pkg_add should always be checking +DESC.
