Where is the signature or checksum of packagesite.pkg (latest)

rulezero

New Member

Reaction score: 2
Messages: 10

How do I manually check the checksum or signature for the packagesite.pkg file ?

I downloaded an xf86-video pkg file from distcache.freebsd.org, directory 'latest'. Its checksum is in the packagesite file of course, but how do I check the packagesite.txz file ? It is the latest version, so not the version from the iso-image. Using pkg is not an option because the system is not online yet, and I do need the latest package, because Xorg does not work with version 13.0 (it's for a laptop).
 

monwarez

Active Member

Reaction score: 75
Messages: 165

The fingerprint is located in the following directory: /usr/share/keys/pkg/trusted
 
OP
R

rulezero

New Member

Reaction score: 2
Messages: 10

The fingerprint is located in the following directory: /usr/share/keys/pkg/trusted
Apologies for my incomprehension, but that file does not give the fingerprint (if that is the sha256 checksum) of the packagesite.yaml or -txz file, and even if it would, I could not use it because I have release 0 installed, and I need the checksum of the packagesite file in the 'latest' version.

I checked if it would be the fingerprint of a public key, but those are sha1 by default, and with a public key I think I still would need a signature file
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,141
Messages: 39,753

Again, download the package for pkg(8). Extract that, and use the pkg-static executable that's in the archive to 'bootstrap' the installation of ports-mgmt/pkg itself.
 

monwarez

Active Member

Reaction score: 75
Messages: 165

Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.
 
OP
R

rulezero

New Member

Reaction score: 2
Messages: 10

Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.
I was trying it out on the files from the iso-image, and there is no public key there. In the downloaded package there indeed is. I checked the signature with openssl rsautl, so I am good now, and installed it with pkg add.
 
Top