Anothe pkgng question: signing a repository
Kevin Oberman
kob6558 at gmail.com
Fri Dec 28 18:06:27 UTC 2012
On Fri, Dec 28, 2012 at 9:28 AM, Matthew Seaman <matthew at freebsd.org> wrote:
> On 27/12/2012 21:01, Garrett Wollman wrote:
>>> I'm creating my own repository and have created a key for it.
>> [...]
>>> >What does pkg expect to be in this file?
>
>> A public key. It does not use X.509 (nor is there any reason why it
>> should, although I suppose it could be made to at the cost of
>> significant added complexity and a bootstrapping problem).
>
> pkgng has a quite minimal signing setup -- it uses naked RSA
> public/private keys without committing to either of the two popular
> models for providing assurance on the validity of public keys (viz: PGP
> web of trust or X509 style certificate chains to some trusted root
> certificate). It's not clear at the moment if one or other or neither
> of those styles would be preferred in the future.
>
> Or it may well be the case that RFC6698 (DANE -- DNS-Based
> Authentication of Named Entities) via DNSSEC signed zone data[*] is
> preferred over either of the two means frequently used at the moment.
> Remember that there's really only one cryptographic signature needed for
> each architecture/OS version specific repository catalogue. So not a
> huge maintenance burden keeping the DNS up to date and signed even if a
> new repository catalogue is published each day.
>
> Cheers,
>
> Matthew
>
> [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have
> to remain no more than a pipe-dream for the time being.
So why not? BIND 9.9 makes signing pretty easy and many registrars
support it, though not all do. I think Tucows does, though I don't use
them, so I might be wrong. With all of the concern over security after
the intrusion, this seems like a good time to get started with
signing. (Yes, I know everyone is really tied up with auditing things,
but if it keeps getting delayed, ti will not happen.)
And, yes, DANE is clearly preferable to either PGP (#2 choice, IMHO)
or X.509 (too broken to be worth considering).
--
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
More information about the freebsd-stable
mailing list