On Wed, Jul 23, 2014 at 22:39, Peer Janssen wrote: > (1) > The pkg_add man page sais that digitally signed packages are checked > against authorities in /etc/ssl/pkgca.pem. > > I didn't find this pkgca.pem at said place, although pkg_add is indeed > installed. > > I suppose checking of digitally signed packages will not be possible > without these certificates. > So where will that pkgca.pem come from?
That's rather outdated information. I would ignore it. pkg_add will verify the pkg was signed with a key in /etc/signify/. You shouldn't need to do anything about this. pkg_add will not by default install unsigned packages. > (2) > What I found in /etc/ssl was a cert.pem which apparently contained CAs. > Some question: Where did it come from? How was it constituted by the > OpenBSD team? Is there some kind of CA policy? >From time to time, somebody will send a patch that adds a CA or removes a CA from that file. Sometimes it's applied, sometimes it's not. I would describe the current CA policy as "the CA system is broken."
