Christian Weisgerber wrote:
> What's the best way to check the signatures and integrity of a bunch
> of OpenBSD packages?  pkg_add -n or -s do this, but they produce
> too much unrelated spew.  pkg_info does not check the signature.
> 
> The CDs and FTP mirrors tend to have SHA256.sig files at the directory
> level, but shouldn't there be an easy way to use the embedded
> signatures for this?

If I'm not mistaken, pkg* will use the index.txt file to find matches, which
is how "pkg_add vim" knows which vims to ask me about. Maybe it should use the
SHA256.sig file instead? It contains all the necessary information (filenames)
and is hardly any bigger.

-rw-r--r--  1 tedu  tedu  697874 Feb 17 16:39 SHA256.sig
-rw-r--r--  1 tedu  tedu  662931 Feb 17 16:39 index.txt

I'm not sure what you're after, though. Do you want to check a mirror is good
before downloading? Even the embedded signature requires downloading the full
package to verify the contents are good. Checking SHA256.sig will be a little
faster since it doesn't require unpacking and file by file comparison.

An option to only check the signature on the plist would be interesting,
though I'd be a little concerned that it may return success even though the
package contents are wrong.

BTW, I found a bug. Even pkg_add doens't check the +DESC file. I modified the
DESC for colorls, and now I have this:

> pkg_info colorls        
Information for inst:colorls-5.6p0

Comment:
ls that can use color to display file attributes

Description:
It's a trap!!!

I don't pkg_add should have installed that package. It's obvously a trap. :)

pkg_info and pkg_add should always be checking +DESC.

Reply via email to