Anothe pkgng question: signing a repository
Matthew Seaman
matthew at FreeBSD.org
Fri Dec 28 17:28:50 UTC 2012
On 27/12/2012 21:01, Garrett Wollman wrote:
>> I'm creating my own repository and have created a key for it.
> [...]
>> >What does pkg expect to be in this file?
> A public key. It does not use X.509 (nor is there any reason why it
> should, although I suppose it could be made to at the cost of
> significant added complexity and a bootstrapping problem).
pkgng has a quite minimal signing setup -- it uses naked RSA
public/private keys without committing to either of the two popular
models for providing assurance on the validity of public keys (viz: PGP
web of trust or X509 style certificate chains to some trusted root
certificate). It's not clear at the moment if one or other or neither
of those styles would be preferred in the future.
Or it may well be the case that RFC6698 (DANE -- DNS-Based
Authentication of Named Entities) via DNSSEC signed zone data[*] is
preferred over either of the two means frequently used at the moment.
Remember that there's really only one cryptographic signature needed for
each architecture/OS version specific repository catalogue. So not a
huge maintenance burden keeping the DNS up to date and signed even if a
new repository catalogue is published each day.
Cheers,
Matthew
[*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have
to remain no more than a pipe-dream for the time being.
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20121228/80879abe/attachment.sig>
More information about the freebsd-stable
mailing list