[tex-live] tlmgr: Package verification

Norbert Preining norbert at preining.info
Tue Jan 23 01:06:36 CET 2018 

Hi Philipp,

> also be made somewhat clearer in the tlmgr manual?

Yes indeed, it could be made clearer  :-)

> I still don't quite understand why --no-verify-downloads is needed: If
> one has gpg installed, but doesn't want signatures to be checked,
> wouldn't --no-require-verification suffice (apart from the main
> repository, where you said this option has no effect)?

Without --no-verify-downloads you will always get the main repository
checked, which cannot be turned off with --no-require-verification.
But with --no-verify-downloads even the main repo is not checked.

> What I didn't realize up to now was that these settings have nothing
> to do with the verification of the actual packages, i.e. the
> computation and comparison of sha512 hashes, as introduced with
> Texlive 2016.

I tend to not call this "verification" but integrity check. Without
verification of the signature of the main tlpdb, the package can still
contain anything (an attacker can change the content of a package as
well as the sha/md sums in the tlpdb). The checksum is here to guarantee
integrity of the downloaded package.

It is true that without verification this is not that useful, because
the un-xz is a very good integrity checker, too.

> Am I right that a) the Windows version ships with Perl's Digest::SHA
> and that b) hashes of *all* downloaded/updated packages are computed
> and compared with the values specified in the database file by

Yes.

> default? Both the terminal output and the logfile say nothing about
> this, but as tlmgr seems to be rather silent as long as there are no
> problems, I hope this is a good sign ;-)

Yes, the checksums are always done. Run tlmgr with -v and you will see
some more output:
...
D:12many upd package
D: done 12many.r1587.tar.xz, size 382132, 5e1a3e83b1f186dd4108843a0c248126566a20b9070b06f12a76b5e308615aeb5a419bdcbab2ccee66daeed1032e724ec016e5a005ac330e314228b6d5199b8e
...

If you run with -v -v then you will get even more (but expect faaaar too
much output to actually find it ;-)
...
D:12many upd package
DD:running system(tar -cf /home/norbert/tl/2017/tlpkg/backups/12many.r1587.tar texmf-dist/doc/latex/12many/12many.pdf texmf-dist/doc/latex/12many/README texmf-dist/source/latex/12many/12many.dtx texmf-dist/source/latex/12many/12many.ins texmf-dist/tex/latex/12many/12many.sty tlpkg/tlpobj/12many.tlpobj)
DD:tlchecksum: out = 8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b
DD:tlchecksum: cs ===8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b===
DD:xchdir(/home/norbert) ok
D: done 12many.r1587.tar.xz, size 382132, 8322d74706c0fa431319a937b1712d49a0244b9bc70b44bbe471a75603f99f89728f8270dc5369318a1fe8185d3667af097675e1b79f4d9931616d6a8e26255b

> (The manual says "That is, for each texlive.tlpdb loaded from a
> repository, the corresponding checksum file texlive.tlpdb.sha512 is
> also downloaded, and tlmgr confirms whether the checksum of the
> downloaded TLPDB file agrees with the download data." - which sounds
> as if *only* the tlpdb file is verified).

*verified* means that a cryptographic signature is checked. After that
each package in turn is checked for integrity, and as a consequence also
verified (unless the checksum mechanism is broken and can be
circumvented, which is with sha256 not possible at the moment).

> I did read this and tried both  "kpsewhich -var-value TEXMFCONFIG" and
> "kpsewhich -var-value TEXMFSYSCONFIG"
> 
> The former prints a path inside my user directory that does not exist,
> the latter refers to "texmf-config" inside the Texlive install
> directory, but there's only a file named "ls-R" inside, and no "tlmgr"
> subfolder.
> I guess I could place a config file at either location, but I wonder
> if any default config file should already be there.

No default config file is provided, none is necessary.

> Oh, and one more thing: "tlmgr --version" reports revision 46034 after
> the latest update, but this version isn't yet listed in the tlmgr
> news: https://www.tug.org/texlive/tlmgr-news.html

Because you install from tlcritical maybe? The tlmgr-news is for the
released version of tlmgr, not the one in testing/tlcritical.

All the best

Norbert

--
PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list