Date: Sun, 31 Dec 2000 10:54:58 -0700 From: Wes Peters <wes@softweyr.com> To: "Michael C . Wu" <keichii@peorth.iteration.net> Cc: Will Andrews <will@physics.purdue.edu>, ports@FreeBSD.ORG, Robert Watson <rwatson@FreeBSD.ORG>, Warner Losh <imp@village.org>, Kris Kennaway <kris@FreeBSD.ORG> Subject: Re: Package signing tools Message-ID: <3A4F72F2.E273B8C9@softweyr.com> References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <20001231014344.T305@argon.firepipe.net> <3A4EDE33.84C7072@softweyr.com> <20001231022101.A24801@peorth.iteration.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Michael C . Wu" wrote:
>
> On Sun, Dec 31, 2000 at 12:20:19AM -0700, Wes Peters scribbled:
> | Will Andrews wrote:
> | >
> | > On Sun, Dec 31, 2000 at 12:39:20AM -0600, Michael C . Wu wrote:
> | > > You can also use the Perl PGP module. However, at the very least you
> | > > really want to have PGP5 or PGP6.
> | >
> | > What about other types of signatures? Should we support more than one kind?
> |
> | It currently supports X.509 (which I heartily recommend), PGP (which is
> | somewhat shaky, as I pointed out), and MD5, where you prime the ports
> | database with an MD5 file and then check that the MD5 of the .tgz file
> | against that.
>
> You misunderstood me. :) I was saying, "You can replace original PGP
> with perl pgp module or pgp5/6."
Oh, I see. What we really need is a PGP library, which I think GPG was
supposed to provide someday. Having a non-GPL PGP library would sure be
nice.
> | > > Consider integrating pkg_version with this? This would allow
> | > > for global ports update.
> | >
> | > Yes, PLEASE don't create a new program. Integrate this functionality
> | > (checking signatures) into pkg_info or pkg_version (I prefer the former
> | > myself).
>
> By integration, I meant that the output should be parseable by pkg_version
> and pkg_info.
It's major output is a "yes" or "no" answer. Keep in mind this only works
on the .tgz file, not on the package after installed on the system. It
would be simple to extend pkg_info or pkg_version to report if a .tgz has a
signature and if so, if it matches, by the return value from pkg_check. I'm
not certain the return values are maintained that carefully right now, but
I'll look through the code and make it return 0 for "has signature, is
verified", negative for "has signature, not verified" and positive for "no
signature". Would that suffice?
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A4F72F2.E273B8C9>