View Single Post
  #2   (View Single Post)  
Old 24th October 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Packages are not included in a release's SHA256.sig file. Review the file contents.

Instead, the header within each package tarball contains the package signature. pkg_add(1) is used to check signatures for validity.


Edited to add: see pkg_sign(1). The signature is stored in the gzip(1) comment at the head of the tarball.
Reply With Quote