From owner-freebsd-pkg@freebsd.org Fri Sep 11 14:22:25 2020 Return-Path: Delivered-To: freebsd-pkg@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ACC1F3DBFED for ; Fri, 11 Sep 2020 14:22:25 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BnydF4160z4QMZ; Fri, 11 Sep 2020 14:22:25 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from ivaldir.etoilebsd.net (etoilebsd.net [178.32.217.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 5574225293; Fri, 11 Sep 2020 14:22:25 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by ivaldir.etoilebsd.net (Postfix, from userid 1001) id 727DAEC09B; Fri, 11 Sep 2020 16:22:23 +0200 (CEST) Date: Fri, 11 Sep 2020 16:22:23 +0200 From: Baptiste Daroussin To: Andrew Savchenko Cc: freebsd-pkg@freebsd.org Subject: Re: Switching `pkg` to HTTPS by default Message-ID: <20200911142223.kt7cfs5zbu7qwtsn@ivaldir.net> References: <8310678484.20200911231037@savchenko.net> <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zyy7aogssyxfw7ld" Content-Disposition: inline In-Reply-To: <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2020 14:22:25 -0000 --zyy7aogssyxfw7ld Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 11, 2020 at 04:14:57PM +0200, Baptiste Daroussin wrote: > On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote: > > Hello, > >=20 > > I have added the following snippet under the=20 > > /usr/local/etc/pkg/repos/FreeBSD.conf: > >=20 > > ``` > > FreeBSD: { > > url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", > > mirror_type: "srv", > > signature_type: "fingerprints", > > fingerprints: "/usr/share/keys/pkg", > > enabled: yes > > } > > ``` > >=20 > > Note the "https" part of the address. Regardless, `pkg` continued fetch= ing=20 > > binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.co= nf for=20 > > this to have any effect. >=20 > This discussion happened many time in the past, regarding the pkg reposit= ory the > https does not bring much as everything is signed and checked against che= cksums. >=20 > That said the point of not having https by default is only related to the= fact > that by default there is no CAROOT so no way to validate the certificates= in > base, so the bootstrap will fail. >=20 > Note that this is doable now in CURRENT. Sorry I completly miss read your report yes this is a bug I will look into it What does pkg -vv tell you ? Best regards, Bapt --zyy7aogssyxfw7ld Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgOTj3suS2urGXVU3Y4mL3PG3PloFAl9biB8ACgkQY4mL3PG3 PlpvzA/8CivEel6kB0RehK74iWcLVA0fNWLrEo5ifiwBy3qOUNOa75JKwXDYRP0O lzIg8Lb9LGYnHjxzrRdBu0g/yfzK93RmKemT5F5dMqYs3mhGzLVnr1bxhAz1di3K 4ZGAxwaLHfKeZymgnvlFIy6vvidpt8ph1PLfqxhvFi9vX6RHMv6m+AI4abrIE2ZA g5JE1lXCBjRTqy4i9CZ3T5sUkor80ZPoXQbrjNmiWcOt0yHVks6Y34M1Y/9sPrGw EixhvGdfRRqyZmyeeKann0fe15tKObxhLnVnhgQ7TnOwxNCRVBhx4pPHRppTlkfR myRSCP+pkre4gf2ONPxEYqCKJROzgyYoiSfzKXZ6eZVINuXjb6aeyb7aRw+ij1uk ODUwlc18mcYFFa9UL1a9pBGvwPHnuwjvpWVWSYjXLcRrfPCzrDOfLkalUeErqBSJ +opzTVX4nEAv7vEBmWBAAutoCNIAL7xTwNutVPlGzil/RK587ptJl37EV/G22pwi wR3DJ5DSxakmps7EVRMcCfPxzxap5n3jq9LvUy6hdg4yOFJFtN6moEVHi2UDiSJj wEIj4EeLxogX955vFuPdtNwbG102Vw3VKhK1ZNo0mF0oWJj9s9PD4jWeXJK/MOeK iADvwzrGVdnYmr4jFl70uXc56eOK8juxe5wmNfyKktie93atiHk= =WFDF -----END PGP SIGNATURE----- --zyy7aogssyxfw7ld--