From pst@jnx.com  Fri Feb 14 09:53:03 1997
Received: from red.jnx.com (red.jnx.com [208.197.169.254])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA18645;
          Fri, 14 Feb 1997 09:53:02 -0800 (PST)
Received: from base.jnx.com (base.jnx.com [208.197.169.238]) by red.jnx.com (8.8.5/8.8.3) with ESMTP id JAA22643; Fri, 14 Feb 1997 09:52:31 -0800 (PST)
Received: (from pst@localhost) by base.jnx.com (8.7.6/8.7.3) id JAA16138; Fri, 14 Feb 1997 09:52:25 -0800 (PST)
Message-Id: <199702141752.JAA16138@base.jnx.com>
Date: Fri, 14 Feb 1997 09:52:25 -0800 (PST)
From: Paul Traina <pst@jnx.com>
Reply-To: pst@jnx.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: jkh@freebsd.org, guido@freebsd.org
Subject: package/tarball distribution security (we should be signing)
X-Send-Pr-Version: 3.2

>Number:         2735
>Category:       bin
>Synopsis:       Add signature support (both MD5 and PGP) to pkg_*
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jkh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 14 10:00:02 PST 1997
>Closed-Date:    Tue Sep 8 03:47:08 PDT 1998
>Last-Modified:  Tue Sep  8 03:47:42 PDT 1998
>Originator:     Paul Traina
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Juniper Networks
>Environment:

Irrelevant.

>Description:

One feature that I've always wanted is to have the ability for a package
creator to sign a package with his or her pgp key, so that you can say:
"This package really was from Satoshi and hasn't been modified by a mirror
site".

This can currently be done just by creating detatched signatures and
keeping a file of them someplace "safe" -- but even better would be a
way to integrate that directly into the package,  giving us a way to
vaildate an entire package, either via a public/private key pair, or
at least MD5 across the entire .tgz file (not just the individual
components) where RSA is either unreasonable or unavailable.


>How-To-Repeat:

>Fix:
	
I know some of the linux packages use the following tgz within a
tar file hack to produce a single .tar file that is "self-signed".

	      /---
	      |	<current .tgz package>
new .tar file |	<md5 sig>
	      |	<pgp sig>
	      \---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jkh 
Responsible-Changed-By: pst 
Responsible-Changed-When: Fri Feb 14 10:19:26 PST 1997 
Responsible-Changed-Why:  
pkg = jkh 
(however I'd be willing to think about this too) 
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Tue Sep 8 03:47:08 PDT 1998 
State-Changed-Why:  
I'm probably not going to do this before the new package system comes 
out (which I've sent you an early revision of for review) so I'm just 
going to mark it closed. 
>Unformatted:
