From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 12:58:36 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36C74D76 for ; Tue, 14 Jan 2014 12:58:36 +0000 (UTC) Received: from mail-we0-x233.google.com (mail-we0-x233.google.com [IPv6:2a00:1450:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id BDDDA1214 for ; Tue, 14 Jan 2014 12:58:35 +0000 (UTC) Received: by mail-we0-f179.google.com with SMTP id w62so333597wes.24 for ; Tue, 14 Jan 2014 04:58:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=p18EqwRR+E6WAeRSD6pytL6UhDeXEYhh1QOxwu1YmG8=; b=hCqdF+jqWMMWcHY2x8d7E/WELnDcRGZjoVzVsZyaWDbMYqnhp35lc5eSvemaE5MiBI dxDaSYy/2oZ9YrAsytzgDS5BBk8fJ4q7ORSXk5wtJ/UMyAuqAN/Znjj37V/GXuialFtC tEuXpFaMMrSm7aoCl9ihcBwrFsPGWt5wVFWn7Kt1melRVtOJCtHccrpVwQECSQb4oWiP 4PfPYYu4YL7kzxvHV5DmzKy4AlQBNqJLR6bv9KtDBSe6lELoa3uM6xS0ybmy1bn5RCY7 y5MuWoqvruQ69o4kQmHq3OOB2oxV5WiG5tn2PZyhtqUeXXYXpFEhIcr/dGEAE5Hb4lUM bQKA== X-Received: by 10.194.175.66 with SMTP id by2mr8475415wjc.59.1389704314091; Tue, 14 Jan 2014 04:58:34 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id dh8sm1369502wib.4.2014.01.14.04.58.32 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 14 Jan 2014 04:58:32 -0800 (PST) Sender: Baptiste Daroussin Date: Tue, 14 Jan 2014 13:58:31 +0100 From: Baptiste Daroussin To: Yuri Subject: Re: Does pkg check signatures? Message-ID: <20140114125830.GB77567@ithaqua.etoilebsd.net> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y" Content-Disposition: inline In-Reply-To: <52D530CE.4090908@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pkg@freebsd.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 12:58:36 -0000 --f2QGlHpHGjS2mn6Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 04:42:54AM -0800, Yuri wrote: > On 01/14/2014 04:10, Matthew Seaman wrote: > > pkg is fully capable of checking cryptographic signatures if configured > > to do so. Specifically you need 'signature-type' and 'fingerprints' > > defined in your repo.conf > > > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=3Dlog > > > > and the public key in /usr/share/keys/pkg available here: > > > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.= org.2013102301?view=3Dlog >=20 > I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf= =20 > is like this: > ---begin--- > FreeBSD: { > url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", > mirror_type: "srv", > signature_type: "fingerprints", > fingerprints: "/usr/share/keys/pkg", > enabled: yes > } > ---end--- >=20 > and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like= =20 > this: > ---begin--- > # $FreeBSD$ >=20 > function: "sha256" > fingerprint:=20 > "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" > ---end--- >=20 > 'pkg install' reads the first file, doesn't read the second file, and=20 > succeeds downloading and installing a package. Something is wrong. > Which file is this fingerprint for? Every downloaded file should have=20 > individual signature downloaded with it. >=20 What is signed is the catalog which contains the hash of all the available packages. So the signature is only checked during pkg update in case the database is = being updated not during package installation because it the not needed, the fetc= hed packages are tested agains their hash. regards, Bapt --f2QGlHpHGjS2mn6Y Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVNHYACgkQ8kTtMUmk6EzkQwCglMwuYVGSPJ8od8w+cupqL6oa 5PAAnAwASMVqudX7wPfmjdu6ejE9XIG0 =Rwf5 -----END PGP SIGNATURE----- --f2QGlHpHGjS2mn6Y--