10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"

Shawn Webb shawn.webb at hardenedbsd.org
Wed Sep 9 13:21:37 UTC 2015


On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote:
> On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupać wrote:
> > On Tue, 8 Sep 2015 23:28:59 +0200
> > 
> > Baptiste Daroussin <bapt at FreeBSD.org> wrote:
> > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupać wrote:
> > > > Hi,
> > > > 
> > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> > > > with signature_type="pubkey".
> > > > 
> > > > Quick search returns:
> > > > https://github.com/freebsd/pkg/issues/1309
> > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622
> > > > 
> > > > I guess it is not hard to switch repo to fingerprints, however I
> > > > would not expect to lose this functionality by updating to
> > > > patchlevel.
> > > 
> > > Implemented in head: r287579 I will MFC it asap. And see if it cannot
> > > be added asap to a next patchlevel update.
> > > 
> > > Best regards,
> > > Bapt
> > 
> > Thanx!
> > 
> > Just a few quick not-completely-related questions: poudriere has the
> > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external
> > command, right? Is there a plan to support it? Can I build packages in
> > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with
> > external command?
> 
> First yes I plan to add the ability to sign the package used to bootstrap
> via PKG_REPO_SIGNING_KEY asap in poudriere.
> 
> Second you can keep your current configuration of poudriere, the signing
> with pubkey works perfectly well. All you need to do is either via a
> poudriere post bulk hook or manually go in the directory where your
> packages lives (in the Latest directory) and
> echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \
>     -binary -out ./pkg.txz.pubkeysig

I can't find any documentation in neither Poudriere's manpage nor in 
poudriere.conf.sample on how toadd a post bulk hook.

Is the signing_command option to `pkg repo` really only used in generating 
pkg.txz.sig? Is there any formal documentation about the cryptography design 
and architecture in relation to pkg's repositories?

Thanks,

-- 
Shawn Webb
HardenedBSD

GPG Key ID:                0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150909/2a17ba37/attachment.bin>


More information about the freebsd-stable mailing list