Hi, Does it make sens to have an option to require package to be signed ?
Currently, a package without signature is gracefully installed without warning. The patch introduce an option "require-signature" in pkg.conf, and it respects -Dnosig in comand-line, if present. Thanks. -- Sébastien Marie Index: pkg.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/pkg_add/pkg.conf.5,v retrieving revision 1.5 diff -u -p -r1.5 pkg.conf.5 --- pkg.conf.5 11 Oct 2012 17:35:45 -0000 1.5 +++ pkg.conf.5 16 Jan 2014 07:47:30 -0000 @@ -78,6 +78,10 @@ to waive checksums during package deleti Set to .Ar yes to display (done/total) number of package messages. +.It Ar require-signature +Set to +.Ar yes +to require packages to be signed. .El .Pp Each option uses a separate line, and follows the following template: Index: OpenBSD/PkgAdd.pm =================================================================== RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PkgAdd.pm,v retrieving revision 1.45 diff -u -p -r1.45 PkgAdd.pm --- OpenBSD/PkgAdd.pm 11 Jan 2014 11:54:43 -0000 1.45 +++ OpenBSD/PkgAdd.pm 16 Jan 2014 07:47:30 -0000 @@ -663,6 +663,9 @@ sub check_digital_signature $state->{check_digest} = 1; $state->{packages_with_sig}++; } + } elsif ($state->config->istrue("require-signature") and ! $state->defines('nosig')) { + $state->fatal("#1 isn't signed and signature is required", + $plist->pkgname); } else { $state->{packages_without_sig}{$plist->pkgname} = 1; }