From owner-freebsd-bugs Fri Feb 14 10:00:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA19025 for bugs-outgoing; Fri, 14 Feb 1997 10:00:07 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA19018; Fri, 14 Feb 1997 10:00:03 -0800 (PST) Resent-Date: Fri, 14 Feb 1997 10:00:03 -0800 (PST) Resent-Message-Id: <199702141800.KAA19018@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, pst@jnx.com Received: from red.jnx.com (red.jnx.com [208.197.169.254]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA18645; Fri, 14 Feb 1997 09:53:02 -0800 (PST) Received: from base.jnx.com (base.jnx.com [208.197.169.238]) by red.jnx.com (8.8.5/8.8.3) with ESMTP id JAA22643; Fri, 14 Feb 1997 09:52:31 -0800 (PST) Received: (from pst@localhost) by base.jnx.com (8.7.6/8.7.3) id JAA16138; Fri, 14 Feb 1997 09:52:25 -0800 (PST) Message-Id: <199702141752.JAA16138@base.jnx.com> Date: Fri, 14 Feb 1997 09:52:25 -0800 (PST) From: Paul Traina Reply-To: pst@jnx.com To: FreeBSD-gnats-submit@freebsd.org Cc: jkh@freebsd.org, guido@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2735: package/tarball distribution security (we should be signing) Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2735 >Category: bin >Synopsis: Add signature support (both MD5 and PGP) to pkg_* >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Feb 14 10:00:02 PST 1997 >Last-Modified: >Originator: Paul Traina >Organization: Juniper Networks >Release: FreeBSD 2.2-CURRENT i386 >Environment: Irrelevant. >Description: One feature that I've always wanted is to have the ability for a package creator to sign a package with his or her pgp key, so that you can say: "This package really was from Satoshi and hasn't been modified by a mirror site". This can currently be done just by creating detatched signatures and keeping a file of them someplace "safe" -- but even better would be a way to integrate that directly into the package, giving us a way to vaildate an entire package, either via a public/private key pair, or at least MD5 across the entire .tgz file (not just the individual components) where RSA is either unreasonable or unavailable. >How-To-Repeat: >Fix: I know some of the linux packages use the following tgz within a tar file hack to produce a single .tar file that is "self-signed". /--- | new .tar file | | \--- >Audit-Trail: >Unformatted: