From owner-freebsd-pkg@FreeBSD.ORG  Tue Jan 14 12:42:55 2014
Return-Path: <owner-freebsd-pkg@FreeBSD.ORG>
Delivered-To: freebsd-pkg@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C428FB17
 for <freebsd-pkg@freebsd.org>; Tue, 14 Jan 2014 12:42:55 +0000 (UTC)
Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45])
 by mx1.freebsd.org (Postfix) with ESMTP id AECFC112E
 for <freebsd-pkg@freebsd.org>; Tue, 14 Jan 2014 12:42:55 +0000 (UTC)
Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1])
 (authenticated bits=0)
 by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0ECgs2X061048;
 Tue, 14 Jan 2014 04:42:55 -0800 (PST) (envelope-from yuri@rawbw.com)
Message-ID: <52D530CE.4090908@rawbw.com>
Date: Tue, 14 Jan 2014 04:42:54 -0800
From: Yuri <yuri@rawbw.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-pkg@freebsd.org
Subject: Re: Does pkg check signatures?
References: <52D5269A.5090803@rawbw.com>
 <52D52926.5090104@infracaninophile.co.uk>
In-Reply-To: <52D52926.5090104@infracaninophile.co.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 12:42:55 -0000

On 01/14/2014 04:10, Matthew Seaman wrote:
> pkg is fully capable of checking cryptographic signatures if configured
> to do so.  Specifically you need 'signature-type' and 'fingerprints'
> defined in your repo.conf
>
> Try using the standard /etc/pkg/FreeBSD.conf available here:
>
> http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log
>
> and the public key in /usr/share/keys/pkg available here:
>
> http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log

I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf 
is like this:
---begin---
FreeBSD: {
   url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
   mirror_type: "srv",
   signature_type: "fingerprints",
   fingerprints: "/usr/share/keys/pkg",
   enabled: yes
}
---end---

and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like 
this:
---begin---
# $FreeBSD$

function: "sha256"
fingerprint: 
"b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
---end---

'pkg install' reads the first file, doesn't read the second file, and 
succeeds downloading and installing a package. Something is wrong.
Which file is this fingerprint for? Every downloaded file should have 
individual signature downloaded with it.

Yuri