From owner-freebsd-stable@freebsd.org Wed Sep 9 08:56:25 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 210C1A009B0 for ; Wed, 9 Sep 2015 08:56:25 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B62CB1D89 for ; Wed, 9 Sep 2015 08:56:24 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: by wiclk2 with SMTP id lk2so148569116wic.0 for ; Wed, 09 Sep 2015 01:56:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=Fd7bDocAOCEHSk7rVbZ47iFsPrXEGE6ZAZqn93cNIsQ=; b=pmG5YK+vyqnZLp6qmYkuYpGnH6lEA1/y8Lymg3D2IhTMGqIeRIiQ5nSFchiYB/stR0 NZv+zzCfOpG6PSY9kwLq8OT7J9NjZRB+kije8I5Zab4pfwb5cWwKvUj9cHRGk5LLqPga b9QNJSuNiVtN0G2QlQG2g8LvCL7mGPus38apVbVTCJFO1FRS0rgXOc9J6gz+iFDJxIdF Ohz6WBahQRtWuv4C3bxHF+WIzo7Vmp/4pp3qXMJC33VBMELkC0p6vHzQhlkKp0wyQYO9 AaZgryWqFBRyARfc0NA4gwh53g0BirlwNYljFjmXCj93Fvd4UIsl2bX9rpXQbtajHTJL OpZQ== X-Received: by 10.194.24.196 with SMTP id w4mr55187550wjf.137.1441788983043; Wed, 09 Sep 2015 01:56:23 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by smtp.gmail.com with ESMTPSA id t7sm2701727wia.9.2015.09.09.01.56.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Sep 2015 01:56:22 -0700 (PDT) Sender: Baptiste Daroussin Date: Wed, 9 Sep 2015 10:56:20 +0200 From: Baptiste Daroussin To: Marko =?utf-8?B?Q3VwYcSH?= Cc: freebsd-stable@freebsd.org Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <20150909085620.GF38185@ivaldir.etoilebsd.net> References: <20150908123838.238e5e74@efreet> <20150908212859.GD38185@ivaldir.etoilebsd.net> <20150909091412.350c51ed@efreet> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qp4W5+cUSnZs0RIF" Content-Disposition: inline In-Reply-To: <20150909091412.350c51ed@efreet> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 08:56:25 -0000 --qp4W5+cUSnZs0RIF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupa=C4=87 wrote: > On Tue, 8 Sep 2015 23:28:59 +0200 > Baptiste Daroussin wrote: >=20 > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa=C4=87 wrote: > > > Hi, > > >=20 > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > > with signature_type=3D"pubkey". > > >=20 > > > Quick search returns: > > > https://github.com/freebsd/pkg/issues/1309 > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622 > > >=20 > > > I guess it is not hard to switch repo to fingerprints, however I > > > would not expect to lose this functionality by updating to > > > patchlevel. > > >=20 > > Implemented in head: r287579 I will MFC it asap. And see if it cannot > > be added asap to a next patchlevel update. > >=20 > > Best regards, > > Bapt >=20 > Thanx! >=20 > Just a few quick not-completely-related questions: poudriere has the > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > command, right? Is there a plan to support it? Can I build packages in > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > external command? >=20 First yes I plan to add the ability to sign the package used to bootstrap v= ia PKG_REPO_SIGNING_KEY asap in poudriere. Second you can keep your current configuration of poudriere, the signing wi= th pubkey works perfectly well. All you need to do is either via a poudriere p= ost bulk hook or manually go in the directory where your packages lives (in the Latest directory) and echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ -binary -out ./pkg.txz.pubkeysig Last if you want to do all the process manually: pkg repo /yourrepository /yourkey cd /yourrepositry/Latest echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /yourkey \ -binary -out ./pkg.txz.pubkeysig I will see if I can avoid the the extra command by merging the signing of t= he bootstrap bit directly into pkg repo, that would be more handy Best regards, Bapt --qp4W5+cUSnZs0RIF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXv9DQACgkQ8kTtMUmk6EyO1gCaAlPUVYC027FtVWSXDnY8K77D LA4AnRHmdbX7Db1QzbsyilizkLlLYFpy =mZss -----END PGP SIGNATURE----- --qp4W5+cUSnZs0RIF--