From owner-freebsd-stable@freebsd.org Wed Sep 9 13:21:37 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 816369CC9B3 for ; Wed, 9 Sep 2015 13:21:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D3E8163D for ; Wed, 9 Sep 2015 13:21:36 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by qgt47 with SMTP id 47so6965514qgt.2 for ; Wed, 09 Sep 2015 06:21:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version:content-type; bh=nprDexq7mCL/oAlEChq3YHaqM0VFul1K9lmLQFUx+hs=; b=CojQp62y5gkTBYrKJgLoaogKHKdFt2CxhKQSV8Slg9k+QXQE9JC9j06yQkrGk5uZk4 Fe1IKJnWUvwav61ekHtCISa7N49vDDG/wNb04YiaCZy2RXoNhI+C7k4v7heXqF5dGtsT wQYwLGWU/Hct2k61AAuCdcyAMeo9uQPHWppvbQG+n/vKNLbXshndM7J9fisHbI1cRoPJ LAjKDvV6pxDvLUyqwuGQE3QI2QNih+3ltM95nno6ZHUj4N5Sg0zQ4mTf9r59hzoh4sXj 6kbataFW1EiL4U2Mms7PGuWxd6Po1pL7qzYhiDsdCwNdYyy/Hb1X+7Qp3lRDdwN8rSLt t94Q== X-Gm-Message-State: ALoCoQl9atB49HNSFnUp3IN9OQEFdKpEoiwhINxtIeLeWcr3vlWP6YSzgtx4GVuNHZ0aJ2QsCn6NVXGLk/a8UIf4QqkvXPkmGELJwfytN4LvFxvZrTW/3WorKhunwFpMUR6B/1JK1APNkKFIHepqukIbEdgWHRUnFVTQEPti4bYFuI8I+fbrUVIyCipROBZ6B6UAud6GAjrm X-Received: by 10.140.92.106 with SMTP id a97mr1023413qge.43.1441804890511; Wed, 09 Sep 2015 06:21:30 -0700 (PDT) Received: from hbsd-dev-laptop.localnet ([172.56.3.184]) by smtp.gmail.com with ESMTPSA id o199sm3848698qhb.25.2015.09.09.06.21.29 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Sep 2015 06:21:29 -0700 (PDT) From: Shawn Webb To: freebsd-stable@freebsd.org Cc: Baptiste Daroussin , Marko =?utf-8?B?Q3VwYcSH?= Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Date: Wed, 09 Sep 2015 09:21:24 -0400 Message-ID: <2724677.3oEEqWz8m7@hbsd-dev-laptop> Organization: HardenedBSD User-Agent: KMail/4.14.3 (FreeBSD/11.0-CURRENT-HBSD; KDE/4.14.3; amd64; ; ) In-Reply-To: <20150909085620.GF38185@ivaldir.etoilebsd.net> References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet> <20150909085620.GF38185@ivaldir.etoilebsd.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1978829.2bsiooR2eS"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 13:21:37 -0000 --nextPart1978829.2bsiooR2eS Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote: > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupa=C4=87 wrote: > > On Tue, 8 Sep 2015 23:28:59 +0200 > >=20 > > Baptiste Daroussin wrote: > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa=C4=87 wrote:= > > > > Hi, > > > >=20 > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap= pkg > > > > with signature_type=3D"pubkey". > > > >=20 > > > > Quick search returns: > > > > https://github.com/freebsd/pkg/issues/1309 > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622 > > > >=20 > > > > I guess it is not hard to switch repo to fingerprints, however = I > > > > would not expect to lose this functionality by updating to > > > > patchlevel. > > >=20 > > > Implemented in head: r287579 I will MFC it asap. And see if it ca= nnot > > > be added asap to a next patchlevel update. > > >=20 > > > Best regards, > > > Bapt > >=20 > > Thanx! > >=20 > > Just a few quick not-completely-related questions: poudriere has th= e > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with exter= nal > > command, right? Is there a plan to support it? Can I build packages= in > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with= > > external command? >=20 > First yes I plan to add the ability to sign the package used to boots= trap > via PKG_REPO_SIGNING_KEY asap in poudriere. >=20 > Second you can keep your current configuration of poudriere, the sign= ing > with pubkey works perfectly well. All you need to do is either via a > poudriere post bulk hook or manually go in the directory where your > packages lives (in the Latest directory) and > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \= > -binary -out ./pkg.txz.pubkeysig I can't find any documentation in neither Poudriere's manpage nor in=20= poudriere.conf.sample on how toadd a post bulk hook. Is the signing_command option to `pkg repo` really only used in generat= ing=20 pkg.txz.sig? Is there any formal documentation about the cryptography d= esign=20 and architecture in relation to pkg's repositories? Thanks, =2D-=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --nextPart1978829.2bsiooR2eS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJV8DJUAAoJEGqEZY9SRW7uOfcP/0SodYgEw60fXE43ilxc4WEX fVPQhjCAkmzUo3KKqqOBNfXbjVeyeWe/6aULYx07ihqOUmF9X37i6MXprY0w0pYO xJ1ytgIUyULc0Erluo8xcRs/yBYtuXh39cZGU34xfE7oD0UkyK+WZx2NT29cDt8K 7W+Rkzoimo1bxdKBGy8GPOgzvZH0A8QA6STy7XpuxVOkzJD1I3T47ZUd2qWCzcOa NEBbiBJ2pK6fgiE+C9j1+Q9S/wN47cMD2f4JqO8Jg6OcBTkWIRqh/XO2E6cEOYma 3XIrOfmyGP7jpa/pTFIEf4gMc3IFAAdiNyFV63gbUJ6Hcz6RenRyMsK8TVvAkajR ZGg6qjMwtLV20uDFVs9rHLTLXDYBwj6xOqMEA9yDONTI1CRKNn7w8j/SDCJg5NH2 9mGbh+RkjuZHD0GDUewXJ+KsM5rpGA+Slue5FZRP2JlrsFKckyy8G2GEgpxIzBG+ oIx3ziglB2YWwaITjU6FOeKJMy57F1XCh4E0ikTg6pe5Zk3t+83UgYAG6t+lOj5e DslYE3tp/wkgcRJ0+vOJpltrTUxQpXI+3hXqI4AMFDN0y1w6MIMo+JVYbT85Kaoe 9/aFipHkWIHajEOzJ1R8fAYu95PUDWBbVZn5vFBOKLSSLkx2lyDKAuvR3I6tv4FH qEBMkUj5Q3yiX1lfinZm =J3L5 -----END PGP SIGNATURE----- --nextPart1978829.2bsiooR2eS--