[tex-live] tlmgr: Package verification
preining at logic.at
Wed Nov 8 00:45:29 CET 2017
> manual recently and didn't find anything: Please include that
> information there.
I committed these changes:
index 5a052686f31..831ae58ecb6 100755
@@ -8554,6 +8554,13 @@ report C<(verified)> after loading the TLPDB; otherwise, they report
C<(not verified)>. Either way, by default the installation and/or
updates proceed normally.
+If a program C<gpg> is available (that is, it is found in the C<PATH>),
+cryptographic signatures will be checked. In this case we require that
+the main repository is signed. This is not required for additional r
+repositories. If C<gpg> is not available, signatures are not checked
+and no verification is carried out, but C<tlmgr> proceeds normally.
+This is the behavior of C<tlmgr> up to TeX Live 2016.
The attempted verification can be suppressed by specifying
C<--no-verify-downloads> on the command line, or the entry
C<verify-downloads = 0> in a C<tlmgr> config file (described in
@@ -8561,6 +8568,9 @@ L<CONFIGURATION FILE FOR TLMGR>). On the other hand, it is possible to
I<require> verification by specifying C<--require-verification> on the
command line, or C<require-verification = 1> in a C<tlmgr> config file;
in this case, if verification is not possible, the program quits.
+Note that as mentioned above, if C<gpg> is available, the main repository
+is always required to have a signature. Using the C<--require-verification>
+switch, C<tlmgr> also requires signatures from additional repositories.
Cryptographic verification requires checksum checking (described just
above) to succeed, and a working GnuPG (C<gpg>) program (see below for
If you have any further suggestions for the section
in the tlmgr man/help, please send them.
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live