From nobody Tue Jun 27 08:59:32 2023 X-Original-To: freebsd-pkg@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QqzDf1M85z4kChx for ; Tue, 27 Jun 2023 08:59:46 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [138.201.35.217]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4QqzDc4CZQz3wG7 for ; Tue, 27 Jun 2023 08:59:44 +0000 (UTC) (envelope-from crest@rlwinm.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 138.201.35.217 as permitted sender) smtp.mailfrom=crest@rlwinm.de; dmarc=none Received: from [IPV6:2001:9e8:944:5600:5484:2f3f:3b02:a1e1] (unknown [IPv6:2001:9e8:944:5600:5484:2f3f:3b02:a1e1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 584A523E58 for ; Tue, 27 Jun 2023 08:59:33 +0000 (UTC) Message-ID: Date: Tue, 27 Jun 2023 10:59:32 +0200 List-Id: Binary package management and package tools discussion List-Archive: https://lists.freebsd.org/archives/freebsd-pkg List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkg@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: poudriere/pkg signing issue To: freebsd-pkg@freebsd.org References: <5f1affe5-e776-6eb3-2663-afafb4e2cd2a@arch.jocks.cc> Content-Language: en-US From: Jan Bramkamp In-Reply-To: <5f1affe5-e776-6eb3-2663-afafb4e2cd2a@arch.jocks.cc> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.15 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-0.996]; NEURAL_HAM_LONG(-0.96)[-0.964]; NEURAL_HAM_MEDIUM(-0.89)[-0.891]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:24940, ipnet:138.201.0.0/16, country:DE]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pkg@freebsd.org]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[rlwinm.de]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pkg@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4QqzDc4CZQz3wG7 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On 27.06.23 10:50, FiLiS wrote: > Hej there, > > I hope someone has an idea regarding this: > I've just encountered something pretty odd. We've been using poudriere > since quite some time, so we automated the cert deployment of our pkg > repository on all consuming machines. As of today, pkg refuses to play > ball: > > # pkg update > Updating pkg.myrepo repository catalogue... > Fetching meta.conf: 100%    163 B   0.2kB/s    00:01 > Fetching packagesite.pkg: 100%  365 KiB 374.2kB/s    00:01 > pkg: -----BEGIN PUBLIC KEY----- > MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5NRaOU1YuSKe9GXIu0IU > xrGWnDPS/r68v9u6GPw+7FbwNo8J9Xl06zZW6u4zuSOgyVbxo1w7bnvNQNwPoPYs > UIqR8KLHdUm1qpj1FGC3db8Bmhjk/dc8hIS72f15B+G9zsdRzTMNsvQzTvPgWAWX > buFF39bxnnElhxOGAiw1dgGRKNuHTNNWga7yyMcMsB8f+6Uc8tqIRUX+gOSzZy2B > FpocZ1vnQg1V2JctvSRzriS9spxcEko7mxDYjo3jRuVHU6omwOuwH2DEkO8fPkLg > yhzBM6HDYE8O/Z+Ma7gD2++keSDJgTynzEVgv5mTGys2OkcWgshjjyqlE4TkRqXu > Sjeyk/V+vGPAmWJYQcG0fSXUjIgaOMRPKpOKrR2nAjNDsQW6Ljjh6/IgDiF33vz6 > 9ORC6r8V8uLGkvYDWS1tja657qKHWP6pitBm/vQNmoTF2FotES36+dH0YD2i4vZ+ > VQNjqvLzjt88Oyq7v5QjeAoeicyLMNzp5CodWgXeiRvN8wkAgU+5C0esMaUmk9CA > P83kY/sXjxis0ISYe6Nic9z6AsfJPA9BSS2wP0TNxQ4sdvXwZmF/rZ9xX7SQVoL3 > opjLiCNQwX2UjwlJe27A6M46Hp4DDtWYFZ6w+K/hdn7MTI26MWzhlGIyD/Hx0IRu > Ii5RX8o2S8TctAxUJb1qxxkCAwEAAQ== > -----END PUBLIC KEY-----: rsa signature verification failure > pkg: Invalid signature, removing repository. > Unable to update repository pkg.myrepo > Error updating repositories! > > When I switch back to the .real_xxx directory of the day before, > everything works fine. > I can't quite figure out what caused this thing to break. > It seems, as of today, we're shipping a different pkg.pkg.pubkeysig in > the Latest folder, but the key configured in PKG_REPO_SIGNING_KEY > hasn't moved since forever and I also compared it to backups, so > nothing changed. I just encountered the same problem on my poudriere server: # pkg upgrade Updating server repository catalogue... Fetching meta.conf: 100%    163 B   0.2kB/s    00:01 Fetching packagesite.pkg: 100%  302 KiB 309.2kB/s    00:01 pkg: -----BEGIN PUBLIC KEY----- *** REDACTED ... *** -----END PUBLIC KEY----- : rsa signature verification failure pkg: Invalid signature, removing repository. Unable to update repository server Error updating repositories! Could the latest OpenSSL 3.x related changes have broken plain RSA signature validation?