[tex-live] tlmgr: Package verification

Philipp philipp.kupferschmied at gmail.com
Mon Jan 22 23:58:22 CET 2018

Thank you for the detailed reply and explanation. Perhaps this could
also be made somewhat clearer in the tlmgr manual?
I still don't quite understand why --no-verify-downloads is needed: If
one has gpg installed, but doesn't want signatures to be checked,
wouldn't --no-require-verification suffice (apart from the main
repository, where you said this option has no effect)?

What I didn't realize up to now was that these settings have nothing
to do with the verification of the actual packages, i.e. the
computation and comparison of sha512 hashes, as introduced with
Texlive 2016.

Am I right that a) the Windows version ships with Perl's Digest::SHA
and that b) hashes of *all* downloaded/updated packages are computed
and compared with the values specified in the database file by
default? Both the terminal output and the logfile say nothing about
this, but as tlmgr seems to be rather silent as long as there are no
problems, I hope this is a good sign ;-)

I find the description in the manual a bit confusing, as it first
mentions package checksums, but then explains it further by refering
to texlive.tlpdb.sha512, which only seems to contain a hash for the
texlive.tlpdb file itself.
(The manual says "That is, for each texlive.tlpdb loaded from a
repository, the corresponding checksum file texlive.tlpdb.sha512 is
also downloaded, and tlmgr confirms whether the checksum of the
downloaded TLPDB file agrees with the download data." - which sounds
as if *only* the tlpdb file is verified).

>> I also wanted to have a look at the config files for tlmgr to have a
>> look at the default values, but it seems that neither a system-wide
>> nor a user-specific file exists. Is this correct? (kpsewhich
> No, this is not correct, see the documentation
> https://www.tug.org/texlive/doc/tlmgr.html#CONFIGURATION-FILE-FOR-TLMGR

I did read this and tried both  "kpsewhich -var-value TEXMFCONFIG" and
"kpsewhich -var-value TEXMFSYSCONFIG"

The former prints a path inside my user directory that does not exist,
the latter refers to "texmf-config" inside the Texlive install
directory, but there's only a file named "ls-R" inside, and no "tlmgr"
I guess I could place a config file at either location, but I wonder
if any default config file should already be there.

> Hope that helps

Yes, it did. Thanks again, and sorry for another ton of questions in
this mail...

Oh, and one more thing: "tlmgr --version" reports revision 46034 after
the latest update, but this version isn't yet listed in the tlmgr
news: https://www.tug.org/texlive/tlmgr-news.html


More information about the tex-live mailing list