Date: Mon, 14 Sep 2015 15:45:24 -0700 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-stable@freebsd.org Cc: Baptiste Daroussin <bapt@freebsd.org> Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <55F74E04.1010706@FreeBSD.org> In-Reply-To: <2724677.3oEEqWz8m7@hbsd-dev-laptop> References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet> <20150909085620.GF38185@ivaldir.etoilebsd.net> <2724677.3oEEqWz8m7@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/9/15 6:21 AM, Shawn Webb wrote:
> Is the signing_command option to `pkg repo` really only used in generating
> pkg.txz.sig? Is there any formal documentation about the cryptography design
> and architecture in relation to pkg's repositories?
No. It is used for all signing needs. Both the repo and pkg.txz.sig.
pkg repo:
JNETNAME="n" injail ${PKG_BIN} repo \
-o /tmp/packages ${PKG_META} /packages \
${SIGNING_COMMAND:+signing_command: ${SIGNING_COMMAND}}
pkg.txz.sig:
rm -f "${pkgfile}.sig"
sha256 -q "${pkgfile}" | ${SIGNING_COMMAND} > "${pkgfile}.sig"
--
Regards,
Bryan Drewery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55F74E04.1010706>