Date: Tue, 8 Sep 2015 16:48:10 +0200 From: Marko =?UTF-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs> To: Fabian Keil <freebsd-listen@fabiankeil.de> Cc: freebsd-stable@freebsd.org Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <20150908164810.27a08132@efreet> In-Reply-To: <71b353bf.343f9c90@fabiankeil.de> References: <20150908123838.238e5e74@efreet> <71b353bf.343f9c90@fabiankeil.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 8 Sep 2015 15:38:02 +0200 Fabian Keil <freebsd-listen@fabiankeil.de> wrote: > Marko Cupa=C4=87 <marko.cupac@mimar.rs> wrote: >=20 > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > with signature_type=3D"pubkey". > >=20 > > Quick search returns: > > https://github.com/freebsd/pkg/issues/1309 > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622 > >=20 > > I guess it is not hard to switch repo to fingerprints, however I > > would not expect to lose this functionality by updating to > > patchlevel. >=20 > The "functionality" pkg(7) "lost" is silently ignoring unsupported > signature types which is dangerous if the network can't be trusted: > https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc > https://www.fabiankeil.de/gehacktes/hardenedbsd/ >=20 > If you absolutely want to, you can still bootstrap insecurely by > temporarily setting the signature type to none. I absolutely _don't_ want to bootstrap insecurely, and I am thankful to people more skilled in security than me for discovering and fixing vulnerabilities. I'd like to have the ability to bootstrap from my repo securely, which I thought I had. I am trying to switch to fingerprints, but I need a little help. On client, I have: - changed signature_type to "fingerprints" - pointed fingerprints to a directory - created two subdirs, 'revoked' and 'trusted' - inside trusted, created a file with 'function' and 'fingerprint' But when I try to bootstrap, I get the following message: pkg: Error fetching http://pkg.example.com/packages/102amd64-default/Latest/pkg.txz.sig: Not Fo= und I am trying to follow example from pkg-repo(8) about creating and signing repo with external command, but it does not work for me. To be honest, I don't understand what exactly first command is supposed to do. I guess it should create file similar to pkg.txz.sig on FreeBSD pkg site, but it doesn't. Perhaps because I am using tcsh and not sh, but switching to sh dosn't help either: # On signing server: % cat > sign.sh << EOF #!/bin/sh read -t 2 sum [ -z "$sum" ] && exit 1 echo SIGNATURE echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -bin= ary echo echo CERT cat repo.pub echo END EOF The one who helps me figure this out can count on a few dozens of beers when passing through Belgrade/Serbia. --=20 Marko Cupa=C4=87 https://www.mimar.rs/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150908164810.27a08132>