texlive[45716] Master/texmf-dist/scripts/texlive/tlmgr.pl: add more

[commits+preining at tug.org]

Revision: 45716
          http://tug.org/svn/texlive?view=revision&revision=45716
Author:   preining
Date:     2017-11-08 00:44:28 +0100 (Wed, 08 Nov 2017)
Log Message:
-----------
add more info to tlmgr man page about crypto

Modified Paths:
--------------
    trunk/Master/texmf-dist/scripts/texlive/tlmgr.pl

Modified: trunk/Master/texmf-dist/scripts/texlive/tlmgr.pl
===================================================================
--- trunk/Master/texmf-dist/scripts/texlive/tlmgr.pl	2017-11-07 21:43:47 UTC (rev 45715)
+++ trunk/Master/texmf-dist/scripts/texlive/tlmgr.pl	2017-11-07 23:44:28 UTC (rev 45716)
@@ -8554,6 +8554,13 @@
 C<(not verified)>.  Either way, by default the installation and/or
 updates proceed normally.
 
+If a program C<gpg> is available (that is, it is found in the C<PATH>),
+cryptographic signatures will be checked. In this case we require that
+the main repository is signed. This is not required for additional r
+repositories. If C<gpg> is not available, signatures are not checked
+and no verification is carried out, but C<tlmgr> proceeds normally.
+This is the behavior of C<tlmgr> up to TeX Live 2016.
+
 The attempted verification can be suppressed by specifying
 C<--no-verify-downloads> on the command line, or the entry
 C<verify-downloads = 0> in a C<tlmgr> config file (described in
@@ -8561,6 +8568,9 @@
 I<require> verification by specifying C<--require-verification> on the
 command line, or C<require-verification = 1> in a C<tlmgr> config file;
 in this case, if verification is not possible, the program quits.
+Note that as mentioned above, if C<gpg> is available, the main repository
+is always required to have a signature. Using the C<--require-verification>
+switch, C<tlmgr> also requires signatures from additional repositories.
 
 Cryptographic verification requires checksum checking (described just
 above) to succeed, and a working GnuPG (C<gpg>) program (see below for