Hi, Thx to letsencrypt, i switched my server to full-https, and while here setupped a signify key for the packages i build. That still means that you need to trust me (and who am i to be trusted?), the root CA that trusts letsencrypt, and upstream mozilla, but that was a nice experiment, and somewhat requested. That doesnt mean i endorse all the fluff and wanking around privacy/trust/whatnot...
Note the difference, since the server now uses HSTS, if you still use a PKG_PATH pointing to http:// pkg_add might spew warnings when scanning the repo: Error from http://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz Redirected to https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz Requesting https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz The git/cgit repo is now accessible over https if you want to build packages yourself: https://cgit.rhaalovely.net/mozilla-firefox/?h=release git clone -b release https://git.rhaalovely.net/git/mozilla-firefox The key & packages are on the same server: $doas ftp -o /etc/signify/landry-mozilla-pkg.pub https://rhaalovely.net/stuff/landry-mozilla-pkg.pub $PKG_PATH=https://rhaalovely.net/stuff/i386/ doas pkg_add firefox (or) $PKG_PATH=https://rhaalovely.net/stuff/amd64/ doas pkg_add firefox And you can check that the package/PLIST is effectively signed by this key: $pkg_info -f /var/db/pkg/firefox-43.0rc1 |grep sign @signer landry-mozilla-pkg @digital-signature signify:2015-12-12T11:16:08Z:RWRh/RSo0GgoYkXCBR/rv1w+zIm3snIJ8vxil57GUaLunfMCjtwhrYtcW/HPH4x43KxrFn+vYYuekCwbc7jD1ZSEiI71HuMe2Ag= Landry >
