10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"

Marko Cupać marko.cupac at mimar.rs
Tue Sep 8 14:48:18 UTC 2015

On Tue, 8 Sep 2015 15:38:02 +0200
Fabian Keil <freebsd-listen at fabiankeil.de> wrote:

> Marko Cupać <marko.cupac at mimar.rs> wrote:
> > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> > with signature_type="pubkey".
> > 
> > Quick search returns:
> > https://github.com/freebsd/pkg/issues/1309
> > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622
> > 
> > I guess it is not hard to switch repo to fingerprints, however I
> > would not expect to lose this functionality by updating to
> > patchlevel.
> The "functionality" pkg(7) "lost" is silently ignoring unsupported
> signature types which is dangerous if the network can't be trusted:
> https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc
> https://www.fabiankeil.de/gehacktes/hardenedbsd/
> If you absolutely want to, you can still bootstrap insecurely by
> temporarily setting the signature type to none.

I absolutely _don't_ want to bootstrap insecurely, and I am thankful to
people more skilled in security than me for discovering and fixing

I'd like to have the ability to bootstrap from my repo securely, which
I thought I had.

I am trying to switch to fingerprints, but I need a little help.

On client, I have:
- changed signature_type to "fingerprints"
- pointed fingerprints to a directory
- created two subdirs, 'revoked' and 'trusted'
- inside trusted, created a file with 'function' and 'fingerprint'

But when I try to bootstrap, I get the following message:
pkg: Error fetching
http://pkg.example.com/packages/102amd64-default/Latest/pkg.txz.sig: Not Found

I am trying to follow example from pkg-repo(8) about creating and
signing repo with external command, but it does not work for me. To be
honest, I don't understand what exactly first command is supposed to
do. I guess it should create file similar to pkg.txz.sig on FreeBSD pkg
site, but it doesn't. Perhaps because I am using tcsh and not sh, but
switching to sh dosn't help either:

           # On signing server:
           % cat > sign.sh << EOF
           read -t 2 sum
           [ -z "$sum" ] && exit 1
           echo SIGNATURE
           echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -binary
           echo CERT
           cat repo.pub
           echo END

The one who helps me figure this out can count on a few dozens of beers
when passing through Belgrade/Serbia.

Marko Cupać

More information about the freebsd-stable mailing list