From owner-freebsd-stable@FreeBSD.ORG Fri Dec 28 17:28:50 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA64D84A for ; Fri, 28 Dec 2012 17:28:50 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 636DE8FC0C for ; Fri, 28 Dec 2012 17:28:50 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.6/8.14.5) with ESMTP id qBSHSjjA013260 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 28 Dec 2012 17:28:45 GMT (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.7.3 smtp.infracaninophile.co.uk qBSHSjjA013260 Authentication-Results: smtp.infracaninophile.co.uk/qBSHSjjA013260; dkim=none reason="no signature"; dkim-adsp=none (insecure policy) Message-ID: <50DDD6C6.3050606@FreeBSD.org> Date: Fri, 28 Dec 2012 17:28:38 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Garrett Wollman Subject: Re: Anothe pkgng question: signing a repository References: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu> In-Reply-To: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu> X-Enigmail-Version: 1.4.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB43379DFA8FF395CEF022909" X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: stable@freebsd.org, rainer@ultra-secure.de X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2012 17:28:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB43379DFA8FF395CEF022909 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 27/12/2012 21:01, Garrett Wollman wrote: >> I'm creating my own repository and have created a key for it. > [...] >> >What does pkg expect to be in this file? > A public key. It does not use X.509 (nor is there any reason why it > should, although I suppose it could be made to at the cost of > significant added complexity and a bootstrapping problem). pkgng has a quite minimal signing setup -- it uses naked RSA public/private keys without committing to either of the two popular models for providing assurance on the validity of public keys (viz: PGP web of trust or X509 style certificate chains to some trusted root certificate). It's not clear at the moment if one or other or neither of those styles would be preferred in the future. Or it may well be the case that RFC6698 (DANE -- DNS-Based Authentication of Named Entities) via DNSSEC signed zone data[*] is preferred over either of the two means frequently used at the moment. Remember that there's really only one cryptographic signature needed for each architecture/OS version specific repository catalogue. So not a huge maintenance burden keeping the DNS up to date and signed even if a new repository catalogue is published each day. Cheers, Matthew [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have to remain no more than a pipe-dream for the time being. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigB43379DFA8FF395CEF022909 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDd1s0ACgkQ8Mjk52CukIzyzgCfaZh4H22FAy4VfZWUK4p4GaHK gTkAn3bAw4naA/+y32KEmoGaEG8tEde3 =pcPU -----END PGP SIGNATURE----- --------------enigB43379DFA8FF395CEF022909--