Date: Fri, 28 Dec 2012 17:28:38 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: Garrett Wollman <wollman@hergotha.csail.mit.edu> Cc: stable@freebsd.org, rainer@ultra-secure.de Subject: Re: Anothe pkgng question: signing a repository Message-ID: <50DDD6C6.3050606@FreeBSD.org> In-Reply-To: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu> References: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB43379DFA8FF395CEF022909 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 27/12/2012 21:01, Garrett Wollman wrote: >> I'm creating my own repository and have created a key for it. > [...] >> >What does pkg expect to be in this file? > A public key. It does not use X.509 (nor is there any reason why it > should, although I suppose it could be made to at the cost of > significant added complexity and a bootstrapping problem). pkgng has a quite minimal signing setup -- it uses naked RSA public/private keys without committing to either of the two popular models for providing assurance on the validity of public keys (viz: PGP web of trust or X509 style certificate chains to some trusted root certificate). It's not clear at the moment if one or other or neither of those styles would be preferred in the future. Or it may well be the case that RFC6698 (DANE -- DNS-Based Authentication of Named Entities) via DNSSEC signed zone data[*] is preferred over either of the two means frequently used at the moment. Remember that there's really only one cryptographic signature needed for each architecture/OS version specific repository catalogue. So not a huge maintenance burden keeping the DNS up to date and signed even if a new repository catalogue is published each day. Cheers, Matthew [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have to remain no more than a pipe-dream for the time being. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigB43379DFA8FF395CEF022909 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDd1s0ACgkQ8Mjk52CukIzyzgCfaZh4H22FAy4VfZWUK4p4GaHK gTkAn3bAw4naA/+y32KEmoGaEG8tEde3 =pcPU -----END PGP SIGNATURE----- --------------enigB43379DFA8FF395CEF022909--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50DDD6C6.3050606>