From owner-freebsd-stable@freebsd.org  Mon Sep 14 22:45:28 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5862CA0412F
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 14 Sep 2015 22:45:28 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 4207D197A;
 Mon, 14 Sep 2015 22:45:28 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 3405A12BB;
 Mon, 14 Sep 2015 22:45:28 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id 0369E10753;
 Mon, 14 Sep 2015 22:45:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id VD5bdpzj4CVY; Mon, 14 Sep 2015 22:45:25 +0000 (UTC)
Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with
 signature_type="pubkey"
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 1858F1074C
To: Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-stable@freebsd.org
References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet>
 <20150909085620.GF38185@ivaldir.etoilebsd.net>
 <2724677.3oEEqWz8m7@hbsd-dev-laptop>
Cc: Baptiste Daroussin <bapt@freebsd.org>
From: Bryan Drewery <bdrewery@FreeBSD.org>
Organization: FreeBSD
Message-ID: <55F74E04.1010706@FreeBSD.org>
Date: Mon, 14 Sep 2015 15:45:24 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0)
 Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <2724677.3oEEqWz8m7@hbsd-dev-laptop>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2015 22:45:28 -0000

On 9/9/15 6:21 AM, Shawn Webb wrote:
> Is the signing_command option to `pkg repo` really only used in generating 
> pkg.txz.sig? Is there any formal documentation about the cryptography design 
> and architecture in relation to pkg's repositories?

No. It is used for all signing needs. Both the repo and pkg.txz.sig.

pkg repo:

JNETNAME="n" injail ${PKG_BIN} repo \
    -o /tmp/packages ${PKG_META} /packages \
    ${SIGNING_COMMAND:+signing_command: ${SIGNING_COMMAND}}

pkg.txz.sig:

rm -f "${pkgfile}.sig"
sha256 -q "${pkgfile}" | ${SIGNING_COMMAND} > "${pkgfile}.sig"

-- 
Regards,
Bryan Drewery