From owner-freebsd-stable@freebsd.org Wed Sep 9 13:27:23 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D66279CCE53 for ; Wed, 9 Sep 2015 13:27:23 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 67E501D12 for ; Wed, 9 Sep 2015 13:27:23 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: by wicfx3 with SMTP id fx3so21790253wic.0 for ; Wed, 09 Sep 2015 06:27:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=91PvURpmr1ZjAvxDVkJhlvW4X5AOPBPakl8WGxPVpCw=; b=nZaPO6p8+F+0ZvQ3uiDhVV1esJOD4iPfX7Nhwc0PnfAGTQCKZFJqZWX201KRfvcHpb ju6/AN/9wgTyZo3H9a31CqZVFARoFXBq+Qf/aL7n1ADxUaYRyIYO5Z5ZV8CL9G2BRfwp O+j6MP4GxnkXPj4DV0xq+ViHifeu/RITBmk5l4mVIzTUaZEBwe+6RGx7scpBvijmUxwn mvo52MQ8XI5KQmUlzFDWtQElEi2+rORJSqeZFEQR7te4Etl7Pk9Zi3r71ZtZWB8LRMj8 V977wGTRLicrijQdHKCqCxvzfQwQabBNEPMItnjei4w0Pch288/q+StbFNeTJK2KLThG 9eVg== X-Received: by 10.180.74.148 with SMTP id t20mr56290921wiv.31.1441805241887; Wed, 09 Sep 2015 06:27:21 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by smtp.gmail.com with ESMTPSA id l9sm3907701wiy.10.2015.09.09.06.27.20 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Sep 2015 06:27:20 -0700 (PDT) Sender: Baptiste Daroussin Date: Wed, 9 Sep 2015 15:27:18 +0200 From: Baptiste Daroussin To: Shawn Webb Cc: freebsd-stable@freebsd.org, Marko =?utf-8?B?Q3VwYcSH?= Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <20150909132717.GG38185@ivaldir.etoilebsd.net> References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet> <20150909085620.GF38185@ivaldir.etoilebsd.net> <2724677.3oEEqWz8m7@hbsd-dev-laptop> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KR/qxknboQ7+Tpez" Content-Disposition: inline In-Reply-To: <2724677.3oEEqWz8m7@hbsd-dev-laptop> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 13:27:24 -0000 --KR/qxknboQ7+Tpez Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 09, 2015 at 09:21:24AM -0400, Shawn Webb wrote: > On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote: > > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupa=C4=87 wrote: > > > On Tue, 8 Sep 2015 23:28:59 +0200 > > >=20 > > > Baptiste Daroussin wrote: > > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa=C4=87 wrote: > > > > > Hi, > > > > >=20 > > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap p= kg > > > > > with signature_type=3D"pubkey". > > > > >=20 > > > > > Quick search returns: > > > > > https://github.com/freebsd/pkg/issues/1309 > > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622 > > > > >=20 > > > > > I guess it is not hard to switch repo to fingerprints, however I > > > > > would not expect to lose this functionality by updating to > > > > > patchlevel. > > > >=20 > > > > Implemented in head: r287579 I will MFC it asap. And see if it cann= ot > > > > be added asap to a next patchlevel update. > > > >=20 > > > > Best regards, > > > > Bapt > > >=20 > > > Thanx! > > >=20 > > > Just a few quick not-completely-related questions: poudriere has the > > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > > > command, right? Is there a plan to support it? Can I build packages in > > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > > > external command? > >=20 > > First yes I plan to add the ability to sign the package used to bootstr= ap > > via PKG_REPO_SIGNING_KEY asap in poudriere. > >=20 > > Second you can keep your current configuration of poudriere, the signing > > with pubkey works perfectly well. All you need to do is either via a > > poudriere post bulk hook or manually go in the directory where your > > packages lives (in the Latest directory) and > > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ > > -binary -out ./pkg.txz.pubkeysig >=20 > I can't find any documentation in neither Poudriere's manpage nor in=20 > poudriere.conf.sample on how toadd a post bulk hook. >=20 > Is the signing_command option to `pkg repo` really only used in generatin= g=20 > pkg.txz.sig? Is there any formal documentation about the cryptography des= ign=20 > and architecture in relation to pkg's repositories? >=20 > Thanks, This is the doc we have on hooks:=20 https://github.com/freebsd/poudriere/wiki/hooks Would be nice to get more stuff in there :) Best regards, Bapt --KR/qxknboQ7+Tpez Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXwM7UACgkQ8kTtMUmk6EzKPACgiIB+ZherfhnxpKBf2dliebuQ otMAmQEcjQETnDgj3Qht0Ez/bRPEvadN =nFfA -----END PGP SIGNATURE----- --KR/qxknboQ7+Tpez--