Date: Wed, 9 Sep 2015 15:27:18 +0200 From: Baptiste Daroussin <bapt@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-stable@freebsd.org, Marko =?utf-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs> Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <20150909132717.GG38185@ivaldir.etoilebsd.net> In-Reply-To: <2724677.3oEEqWz8m7@hbsd-dev-laptop> References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet> <20150909085620.GF38185@ivaldir.etoilebsd.net> <2724677.3oEEqWz8m7@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
--KR/qxknboQ7+Tpez Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 09, 2015 at 09:21:24AM -0400, Shawn Webb wrote: > On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote: > > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupa=C4=87 wrote: > > > On Tue, 8 Sep 2015 23:28:59 +0200 > > >=20 > > > Baptiste Daroussin <bapt@FreeBSD.org> wrote: > > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa=C4=87 wrote: > > > > > Hi, > > > > >=20 > > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap p= kg > > > > > with signature_type=3D"pubkey". > > > > >=20 > > > > > Quick search returns: > > > > > https://github.com/freebsd/pkg/issues/1309 > > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622 > > > > >=20 > > > > > I guess it is not hard to switch repo to fingerprints, however I > > > > > would not expect to lose this functionality by updating to > > > > > patchlevel. > > > >=20 > > > > Implemented in head: r287579 I will MFC it asap. And see if it cann= ot > > > > be added asap to a next patchlevel update. > > > >=20 > > > > Best regards, > > > > Bapt > > >=20 > > > Thanx! > > >=20 > > > Just a few quick not-completely-related questions: poudriere has the > > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > > > command, right? Is there a plan to support it? Can I build packages in > > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > > > external command? > >=20 > > First yes I plan to add the ability to sign the package used to bootstr= ap > > via PKG_REPO_SIGNING_KEY asap in poudriere. > >=20 > > Second you can keep your current configuration of poudriere, the signing > > with pubkey works perfectly well. All you need to do is either via a > > poudriere post bulk hook or manually go in the directory where your > > packages lives (in the Latest directory) and > > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ > > -binary -out ./pkg.txz.pubkeysig >=20 > I can't find any documentation in neither Poudriere's manpage nor in=20 > poudriere.conf.sample on how toadd a post bulk hook. >=20 > Is the signing_command option to `pkg repo` really only used in generatin= g=20 > pkg.txz.sig? Is there any formal documentation about the cryptography des= ign=20 > and architecture in relation to pkg's repositories? >=20 > Thanks, This is the doc we have on hooks:=20 https://github.com/freebsd/poudriere/wiki/hooks Would be nice to get more stuff in there :) Best regards, Bapt --KR/qxknboQ7+Tpez Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXwM7UACgkQ8kTtMUmk6EzKPACgiIB+ZherfhnxpKBf2dliebuQ otMAmQEcjQETnDgj3Qht0Ez/bRPEvadN =nFfA -----END PGP SIGNATURE----- --KR/qxknboQ7+Tpez--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150909132717.GG38185>