Hi,
Does it make sens to have an option to require package to be signed ?
Currently, a package without signature is gracefully installed without
warning.
The patch introduce an option "require-signature" in pkg.conf, and it
respects -Dnosig in comand-line, if present.
Thanks.
--
Sébastien Marie
Index: pkg.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/pkg_add/pkg.conf.5,v
retrieving revision 1.5
diff -u -p -r1.5 pkg.conf.5
--- pkg.conf.5 11 Oct 2012 17:35:45 -0000 1.5
+++ pkg.conf.5 16 Jan 2014 07:47:30 -0000
@@ -78,6 +78,10 @@ to waive checksums during package deleti
Set to
.Ar yes
to display (done/total) number of package messages.
+.It Ar require-signature
+Set to
+.Ar yes
+to require packages to be signed.
.El
.Pp
Each option uses a separate line, and follows the following template:
Index: OpenBSD/PkgAdd.pm
===================================================================
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PkgAdd.pm,v
retrieving revision 1.45
diff -u -p -r1.45 PkgAdd.pm
--- OpenBSD/PkgAdd.pm 11 Jan 2014 11:54:43 -0000 1.45
+++ OpenBSD/PkgAdd.pm 16 Jan 2014 07:47:30 -0000
@@ -663,6 +663,9 @@ sub check_digital_signature
$state->{check_digest} = 1;
$state->{packages_with_sig}++;
}
+ } elsif ($state->config->istrue("require-signature") and !
$state->defines('nosig')) {
+ $state->fatal("#1 isn't signed and signature is
required",
+ $plist->pkgname);
} else {
$state->{packages_without_sig}{$plist->pkgname} = 1;
}
