previously on this list Peer Janssen contributed: > The pkg_add man page sais that digitally signed packages are checked > against authorities in /etc/ssl/pkgca.pem. > > I didn't find this pkgca.pem at said place, although pkg_add is indeed > installed. > > I suppose checking of digitally signed packages will not be possible > without these certificates. > So where will that pkgca.pem come from?
I believe that file was created and used optionally by home made ports when signing was manually enabled and depended on openssl, gpg would be another option but not built into the ports system likely due to it's license. Signify is OpenBSDs newer and far more efficient and neat method now used on all packages by default but if your still interested then see pkg_sign(1) For X.509, the signer's certificate and the signer's private key should be generated using standard openssl x509 commands. This assumes the existence of a certificate authority (or several), whose public information is recorded as a /etc/ssl/pkgca.pem file. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________ _______________________________________________________________________
