Packages are not included in a release's SHA256.sig file. Review the file contents.
Instead, the header within each package tarball contains the package signature. pkg_add(1) is used to check signatures for validity.
Edited to add: see pkg_sign(1). The signature is stored in the gzip(1) comment at the head of the tarball.
|