Where is the signature or checksum of packagesite.pkg (latest)

How do I manually check the checksum or signature for the packagesite.pkg file ?

I downloaded an xf86-video pkg file from distcache.freebsd.org, directory 'latest'. Its checksum is in the packagesite file of course, but how do I check the packagesite.txz file ? It is the latest version, so not the version from the iso-image. Using pkg is not an option because the system is not online yet, and I do need the latest package, because Xorg does not work with version 13.0 (it's for a laptop).
 
The fingerprint is located in the following directory: /usr/share/keys/pkg/trusted
Apologies for my incomprehension, but that file does not give the fingerprint (if that is the sha256 checksum) of the packagesite.yaml or -txz file, and even if it would, I could not use it because I have release 0 installed, and I need the checksum of the packagesite file in the 'latest' version.

I checked if it would be the fingerprint of a public key, but those are sha1 by default, and with a public key I think I still would need a signature file
 
Again, download the package for pkg(8). Extract that, and use the pkg-static executable that's in the archive to 'bootstrap' the installation of ports-mgmt/pkg itself.
 
Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.
 
Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.
I was trying it out on the files from the iso-image, and there is no public key there. In the downloaded package there indeed is. I checked the signature with openssl rsautl, so I am good now, and installed it with pkg add.
 
Back
Top