Date: Sat, 08 Feb 2014 18:50:44 -0500 From: "John W. O'Brien" <john@saltant.com> To: FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Trouble verifying a pkg-repo signature manually Message-ID: <52F6C2D4.9090009@saltant.com>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--F28L4qHGt1QkKrkxUPkBVm7f7nlMdi0h9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hello freebsd-ports@,
I'm trying to build and maintain my own package repository and
understand how everything is put together in the process. Right now, I'm
having trouble understanding how the signatures are made and verified.
The following should illustrate both the problem I'm having and how I
think things are supposed to work.
My environment
--------------
# pkg -v
1.2.6
# openssl version
OpenSSL 0.9.8y 5 Feb 2013
# uname -a
FreeBSD XXXX.saltant.net 9.2-STABLE FreeBSD 9.2-STABLE #1 r260112: Mon
Dec 30 18:26:07 EST 2013
root@XXXX.saltant.net:/usr/obj/usr/src/sys/NARB amd64
Build a package
---------------
# cd /usr/ports/devel/pkgconf
# make PACKAGES=3D/tmp/packages package
[...]
=3D=3D=3D> Building package for pkgconf-0.9.4
# ls -lR /tmp/packages
total 4
drwxr-xr-x 2 root wheel 512 Feb 8 18:32 All
/tmp/packages/All:
total 24
-rw-r--r-- 1 root wheel 23488 Feb 8 18:32 pkgconf-0.9.4.txz
Prepare the keys
----------------
# cd /tmp/keys
# openssl genrsa -out repo.key 2048
Generating RSA private key, 2048 bit long modulus
=2E...+++
=2E..............................................................+++
e is 65537 (0x10001)
# openssl rsa -in repo.key -pubout repo.pub
writing RSA key
Generate the repo
-----------------
# pkg repo /tmp/packages /tmp/keys/repo.key
Generating repository catalog in /tmp/packages: done!
Testing the signature
---------------------
# cd /tmp/test
# tar xf /tmp/packages/digests.txz
# openssl dgst -verify /tmp/keys/repo.pub \
-signature signature -sha256 digests
Verification Failure
Making and testing a new signature
----------------------------------
# openssl dgst -sign /tmp/repo.key -sha256 -binary digests > test_sig
# openssl dgst -verify /tmp/keys/repo.pub \
-signature test_sig -sha256 digests
Verified OK
I would be grateful if somebody could point me in the right direction,
or disabuse me of some obvious misconception.
Regards,
John
--F28L4qHGt1QkKrkxUPkBVm7f7nlMdi0h9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJS9sLXAAoJEBRzAKlhyP/F+NkIAKb5diNGw53AwcCfPFueKiqW
pSHPDUACakU+di7hLAMPWq2nFMBKQShl5oi6scvADVbw/GweUwu7smwj/Bq0WqDg
XEmCJNI8CyUI5iLKUqBIhU8Om3ShkbO1je8aW0D8CmOQDH/FMJNkMh+nYt0gMaXt
6sh/8F2dme6KUfQ77vMEeoy715yqIConZU2N8BAQZgmZBqxDyIz+I0pp9kRCnBuM
Xzh4fzijcdJWZwZzEg64fj/b8HK15FF3IcEA9nIqjNcwu9h8erUgvcLmsg1BcOiF
+WhQ9KMMDewtmriAJf1cOcXCPDZnNY2YZtSz28zd5x1L0LfdePubLsduvPbxfTY=
=sa6S
-----END PGP SIGNATURE-----
--F28L4qHGt1QkKrkxUPkBVm7f7nlMdi0h9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52F6C2D4.9090009>