# Where is the signature or checksum of packagesite.pkg (latest)



## rulezero (Jan 10, 2022)

How do I manually check the checksum or signature for the packagesite.pkg file ?

I downloaded an xf86-video pkg file from distcache.freebsd.org, directory 'latest'. Its checksum is in the packagesite file of course, but how do I check the packagesite.txz file ? It is the latest version, so not the version from the iso-image. Using pkg is not an option because the system is not online yet, and I do need the latest package, because Xorg does not work with version 13.0 (it's for a laptop).


----------



## monwarez (Jan 10, 2022)

The fingerprint is located in the following directory: /usr/share/keys/pkg/trusted


----------



## SirDice (Jan 10, 2022)

rulezero said:


> Using pkg is not an option because the system is not online yet


Download the package for ports-mgmt/pkg, extract it, then use the included pkg-static executable to install itself. Then use pkg-add(8) to install 'local' packages you have in a directory.


----------



## rulezero (Jan 11, 2022)

monwarez said:


> The fingerprint is located in the following directory: /usr/share/keys/pkg/trusted


Apologies for my incomprehension, but that file does not give the fingerprint (if that is the sha256 checksum) of the packagesite.yaml or -txz file, and even if it would, I could not use it because I have release 0 installed, and I need the checksum of the packagesite file in the 'latest' version.

I checked if it would be the fingerprint of a public key, but those are sha1 by default, and with a public key I think I still would need a signature file


----------



## SirDice (Jan 11, 2022)

Again, download the package for pkg(8). Extract that, and use the pkg-static executable that's in the archive to 'bootstrap' the installation of ports-mgmt/pkg itself.


----------



## monwarez (Jan 12, 2022)

Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.


----------



## rulezero (Jan 12, 2022)

monwarez said:


> Inside the packagesite.txz there will be a signature and the public key. The public key would have a sha256 checksum that match one of the files in the trusted directory /usr/share/keys/pkg/trusted, now for how to check the signature with the public key you will need to dig in the pkg code to see how it is done.


I was trying it out on the files from the iso-image, and there is no public key there. In the downloaded package there indeed is. I checked the signature with openssl rsautl, so I am good now, and installed it with pkg add.


----------

