Trouble verifying a pkg-repo signature manually

John W. O'Brien john at saltant.com
Sat Feb 8 23:50:52 UTC 2014 

Hello freebsd-ports@,

I'm trying to build and maintain my own package repository and
understand how everything is put together in the process. Right now, I'm
having trouble understanding how the signatures are made and verified.
The following should illustrate both the problem I'm having and how I
think things are supposed to work.

My environment
--------------

# pkg -v
1.2.6
# openssl version
OpenSSL 0.9.8y 5 Feb 2013
# uname -a
FreeBSD XXXX.saltant.net 9.2-STABLE FreeBSD 9.2-STABLE #1 r260112: Mon
Dec 30 18:26:07 EST 2013
root at XXXX.saltant.net:/usr/obj/usr/src/sys/NARB  amd64


Build a package
---------------

# cd /usr/ports/devel/pkgconf
# make PACKAGES=/tmp/packages package
[...]
===>  Building package for pkgconf-0.9.4
# ls -lR /tmp/packages
total 4
drwxr-xr-x  2 root  wheel  512 Feb  8 18:32 All

/tmp/packages/All:
total 24
-rw-r--r--  1 root  wheel  23488 Feb  8 18:32 pkgconf-0.9.4.txz


Prepare the keys
----------------

# cd /tmp/keys
# openssl genrsa -out repo.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
...............................................................+++
e is 65537 (0x10001)
# openssl rsa -in repo.key -pubout repo.pub
writing RSA key


Generate the repo
-----------------

# pkg repo /tmp/packages /tmp/keys/repo.key
Generating repository catalog in /tmp/packages: done!


Testing the signature
---------------------

# cd /tmp/test
# tar xf /tmp/packages/digests.txz
# openssl dgst -verify /tmp/keys/repo.pub \
    -signature signature -sha256 digests
Verification Failure


Making and testing a new signature
----------------------------------

# openssl dgst -sign /tmp/repo.key -sha256 -binary digests > test_sig
# openssl dgst -verify /tmp/keys/repo.pub \
    -signature test_sig -sha256 digests
Verified OK

I would be grateful if somebody could point me in the right direction,
or disabuse me of some obvious misconception.

Regards,
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140208/32db9b48/attachment.sig>

More information about the freebsd-ports mailing list