Under linux there is a package called "ubuntu-keyring" – it's for checking that the downloaded packages (from the offical repositories) are the ones that are on the server.
How can I do this under OpenBSD? How can I check that the downloaded package (via pkg_add – from the offical repo) is the one that is on the server?
UPDATE:
is rsync good for the job??
Best Answer
OpenBSD packages are not 'signed' at all by default.
If you are using OpenBSD in commercial environment, let your employer to buy release CD. Then you will get OpenBSD release with packages on CD which you can trust :-)
Better way, and if you are using OpenBSD seriously you should have it, is to have a build server. Sync OpenBSD ports from anoncvs - here you trust ssh fingeprint which is publicly announced - then build your own ports and sign them with certificate. With tool `dpb' it should be even much easier.
OpenBSD packages is secondary interest for the project as whole.