[tex-live] tlmgr: Package verification

Philipp philipp.kupferschmied at gmail.com
Sun Nov 5 18:48:28 CET 2017


Hi there,

I want to install TeX Live 2017 on Windows 10. As I'm rather paranoid
when software uses its own package manager or update mechanism, I'd
like to know if (and how) tlmgr ensures the integrity of
downloaded/updated packages. I found some presentation slides from
2016 that seem to address that very problem, but I'm not sure if all
the things mentioned there are performed out-of-the-box.
>From what I found out so far, it seems as if a separate
GPG-installation is necessary for all the verification stuff to work?

What happens if I run tlmgr (or the Windows net installer) without
having GPG installed? Does it verify SHA512-hashes of downloaded
packages against those found in texlive.tlpdb, but without checking
the authenticity of the latter?
For GPG, does it suffice to download and install Gpg4Win before
installing Tex Live/running tlmgr?

What's the purpose of the repository at
http://www.preining.info/tlgpg/ that is mentioned in the presentation?
Do I still need tlgpg if I use tlmgr with Gpg4Win installed?

I hope someone can help me with these questions (or point me to some
documentation that answers them - perhaps I simply didn't find it).

Regards,
Philipp


More information about the tex-live mailing list