From owner-freebsd-stable@FreeBSD.ORG  Thu Dec 27 16:22:59 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id BD9627D8
 for <freebsd-stable@freebsd.org>; Thu, 27 Dec 2012 16:22:59 +0000 (UTC)
 (envelope-from rainer@ultra-secure.de)
Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122])
 by mx1.freebsd.org (Postfix) with ESMTP id 054388FC12
 for <freebsd-stable@freebsd.org>; Thu, 27 Dec 2012 16:22:58 +0000 (UTC)
Received: (qmail 19292 invoked by uid 89); 27 Dec 2012 16:22:57 -0000
Received: by simscan 1.4.0 ppid: 19287, pid: 19289, t: 0.1287s
 scanners: attach: 1.4.0 clamav: 0.97.3/m:54/d:16139
Received: from unknown (HELO suse3) (rainer@ultra-secure.de@212.71.117.1)
 by mail.ultra-secure.de with ESMTPA; 27 Dec 2012 16:22:57 -0000
Date: Thu, 27 Dec 2012 17:22:56 +0100
From: Rainer Duffner <rainer@ultra-secure.de>
To: freebsd-stable@freebsd.org
Subject: Anothe pkgng question: signing a repository
Message-ID: <20121227172256.647c6728@suse3>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-suse-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 16:22:59 -0000

Hi,

I'm creating my own repository and have created a key for it.

I've created a CSR for it and used that to generate a certificate via
our internal CA. Because there was no other information available, I
used the profile that we use to generate SSL-certificates for web
servers.

I copied the certificate to the server and adjusted pkg.conf, but when I
want to query the repository, I get:

root@server:/etc/ssl/cert # pkg install net-snmpd
Updating repository catalogue
repo.txz
100%  219KB 219.5KB/s 219.5KB/s   00:00 pkg: error reading public
key(/etc/ssl/pkg.conf): error:0906D06C:PEM routines:PEM_read_bio:no
start line pkg: Invalid signature, removing repository.


What does pkg expect to be in this file?


openssl x509 displays the data for the certificate correctly, so I
really don't know what's missing.

I ktraced pkg and it is indeed reading the file.




Best Regards
Rainer