Date: Fri, 14 Feb 1997 09:52:25 -0800 (PST) From: Paul Traina <pst@jnx.com> To: FreeBSD-gnats-submit@freebsd.org Cc: jkh@freebsd.org, guido@freebsd.org Subject: bin/2735: package/tarball distribution security (we should be signing) Message-ID: <199702141752.JAA16138@base.jnx.com> Resent-Message-ID: <199702141800.KAA19018@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 2735 >Category: bin >Synopsis: Add signature support (both MD5 and PGP) to pkg_* >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Feb 14 10:00:02 PST 1997 >Last-Modified: >Originator: Paul Traina >Organization: Juniper Networks >Release: FreeBSD 2.2-CURRENT i386 >Environment: Irrelevant. >Description: One feature that I've always wanted is to have the ability for a package creator to sign a package with his or her pgp key, so that you can say: "This package really was from Satoshi and hasn't been modified by a mirror site". This can currently be done just by creating detatched signatures and keeping a file of them someplace "safe" -- but even better would be a way to integrate that directly into the package, giving us a way to vaildate an entire package, either via a public/private key pair, or at least MD5 across the entire .tgz file (not just the individual components) where RSA is either unreasonable or unavailable. >How-To-Repeat: >Fix: I know some of the linux packages use the following tgz within a tar file hack to produce a single .tar file that is "self-signed". /--- | <current .tgz package> new .tar file | <md5 sig> | <pgp sig> \--- >Audit-Trail: >Unformatted:help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702141752.JAA16138>