Date: Tue, 14 Jan 2014 13:58:31 +0100 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Yuri <yuri@rawbw.com> Cc: freebsd-pkg@freebsd.org Subject: Re: Does pkg check signatures? Message-ID: <20140114125830.GB77567@ithaqua.etoilebsd.net> In-Reply-To: <52D530CE.4090908@rawbw.com> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Tue, Jan 14, 2014 at 04:42:54AM -0800, Yuri wrote: > On 01/14/2014 04:10, Matthew Seaman wrote: > > pkg is fully capable of checking cryptographic signatures if configured > > to do so. Specifically you need 'signature-type' and 'fingerprints' > > defined in your repo.conf > > > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log > > > > and the public key in /usr/share/keys/pkg available here: > > > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log > > I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf > is like this: > ---begin--- > FreeBSD: { > url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", > mirror_type: "srv", > signature_type: "fingerprints", > fingerprints: "/usr/share/keys/pkg", > enabled: yes > } > ---end--- > > and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like > this: > ---begin--- > # $FreeBSD$ > > function: "sha256" > fingerprint: > "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" > ---end--- > > 'pkg install' reads the first file, doesn't read the second file, and > succeeds downloading and installing a package. Something is wrong. > Which file is this fingerprint for? Every downloaded file should have > individual signature downloaded with it. > What is signed is the catalog which contains the hash of all the available packages. So the signature is only checked during pkg update in case the database is being updated not during package installation because it the not needed, the fetched packages are tested agains their hash. regards, Bapt [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVNHYACgkQ8kTtMUmk6EzkQwCglMwuYVGSPJ8od8w+cupqL6oa 5PAAnAwASMVqudX7wPfmjdu6ejE9XIG0 =Rwf5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140114125830.GB77567>