[tex-live] tlmgr: Package verification

Norbert Preining preining at logic.at
Mon Nov 6 00:56:45 CET 2017

Hi Philipp,

> like to know if (and how) tlmgr ensures the integrity of
> downloaded/updated packages. I found some presentation slides from
> 2016 that seem to address that very problem, but I'm not sure if all

Yes it does.

> the things mentioned there are performed out-of-the-box.

If there is a gog installation available yes, otherwise no.

> From what I found out so far, it seems as if a separate
> GPG-installation is necessary for all the verification stuff to work?

Especially on Windows and Mac, yes. Linux installations normally have
gpg around.

> What happens if I run tlmgr (or the Windows net installer) without
> having GPG installed? Does it verify SHA512-hashes of downloaded

It works normally but gives a warning that gpg is not installed and
verification cannot performed.

> For GPG, does it suffice to download and install Gpg4Win before
> installing Tex Live/running tlmgr?

If after that gpg is in the PATH, yes. Or you can install tlgpg which is
a packaged gpg that does not pollute the PATH, see:

> What's the purpose of the repository at
> http://www.preining.info/tlgpg/ that is mentioned in the presentation?
> Do I still need tlgpg if I use tlmgr with Gpg4Win installed?

No. tlgpg *OR* Gpg4Win. The point is that there needs to be a gpg binary
available in the PATH.

Hope that helps


PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list