From owner-freebsd-stable@freebsd.org  Tue Sep  8 14:48:18 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72F41A00306
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Tue,  8 Sep 2015 14:48:18 +0000 (UTC)
 (envelope-from marko.cupac@mimar.rs)
Received: from smtp.mimar.rs (smtp.mimar.rs [193.53.106.135])
 by mx1.freebsd.org (Postfix) with ESMTP id E55A01191
 for <freebsd-stable@freebsd.org>; Tue,  8 Sep 2015 14:48:17 +0000 (UTC)
 (envelope-from marko.cupac@mimar.rs)
Received: from vscan.mimar.rs (vscan.mimar.rs [193.53.106.134])
 by smtp.mimar.rs (Postfix) with ESMTP id A31A989906;
 Tue,  8 Sep 2015 16:48:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mimar.rs; h=
 content-transfer-encoding:content-type:content-type:mime-version
 :x-mailer:organization:references:in-reply-to:message-id:subject
 :subject:from:from:date:date:received:received; s=mimar-0901; t=
 1441723691; x=1443538092; bh=H7bzeSGSzNXonyy72+G2+FWisgDBqXkR793
 nJInwpx8=; b=wnfHyN28W1aBpfOm8MAdovlA72MGiOhspUJVs7drVwzyj+p5Un5
 qoIl1pX0CFvHW+yLopT/8QyVNIK/vM18i4mgk2Vcnv1Eyd8hQxAXzhh+OHOjeSJA
 fnor6lWL4veUa2dAfzGnGUmD7oJHRUwDn9Cw8itxtsT/ni3NelDoKozA=
X-Virus-Scanned: amavisd-new at mimar.rs
Received: from smtp.mimar.rs ([193.53.106.135])
 by vscan.mimar.rs (vscan.mimar.rs [193.53.106.134]) (amavisd-new, port 10026)
 with ESMTP id PgRxFpDFhlBC; Tue,  8 Sep 2015 16:48:11 +0200 (CEST)
Received: from efreet (unknown [193.53.106.34])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: marko.cupac@mimar.rs)
 by smtp.mimar.rs (Postfix) with ESMTPSA id 60CD0898CC;
 Tue,  8 Sep 2015 16:48:11 +0200 (CEST)
Date: Tue, 8 Sep 2015 16:48:10 +0200
From: Marko =?UTF-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs>
To: Fabian Keil <freebsd-listen@fabiankeil.de>
Cc: freebsd-stable@freebsd.org
Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with
 signature_type="pubkey"
Message-ID: <20150908164810.27a08132@efreet>
In-Reply-To: <71b353bf.343f9c90@fabiankeil.de>
References: <20150908123838.238e5e74@efreet> <71b353bf.343f9c90@fabiankeil.de>
Organization: mimar
X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2015 14:48:18 -0000

On Tue, 8 Sep 2015 15:38:02 +0200
Fabian Keil <freebsd-listen@fabiankeil.de> wrote:

> Marko Cupa=C4=87 <marko.cupac@mimar.rs> wrote:
>=20
> > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> > with signature_type=3D"pubkey".
> >=20
> > Quick search returns:
> > https://github.com/freebsd/pkg/issues/1309
> > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202622
> >=20
> > I guess it is not hard to switch repo to fingerprints, however I
> > would not expect to lose this functionality by updating to
> > patchlevel.
>=20
> The "functionality" pkg(7) "lost" is silently ignoring unsupported
> signature types which is dangerous if the network can't be trusted:
> https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc
> https://www.fabiankeil.de/gehacktes/hardenedbsd/
>=20
> If you absolutely want to, you can still bootstrap insecurely by
> temporarily setting the signature type to none.

I absolutely _don't_ want to bootstrap insecurely, and I am thankful to
people more skilled in security than me for discovering and fixing
vulnerabilities.

I'd like to have the ability to bootstrap from my repo securely, which
I thought I had.

I am trying to switch to fingerprints, but I need a little help.

On client, I have:
- changed signature_type to "fingerprints"
- pointed fingerprints to a directory
- created two subdirs, 'revoked' and 'trusted'
- inside trusted, created a file with 'function' and 'fingerprint'

But when I try to bootstrap, I get the following message:
pkg: Error fetching
http://pkg.example.com/packages/102amd64-default/Latest/pkg.txz.sig: Not Fo=
und

I am trying to follow example from pkg-repo(8) about creating and
signing repo with external command, but it does not work for me. To be
honest, I don't understand what exactly first command is supposed to
do. I guess it should create file similar to pkg.txz.sig on FreeBSD pkg
site, but it doesn't. Perhaps because I am using tcsh and not sh, but
switching to sh dosn't help either:

           # On signing server:
           % cat > sign.sh << EOF
           #!/bin/sh
           read -t 2 sum
           [ -z "$sum" ] && exit 1
           echo SIGNATURE
           echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -bin=
ary
           echo
           echo CERT
           cat repo.pub
           echo END
           EOF

The one who helps me figure this out can count on a few dozens of beers
when passing through Belgrade/Serbia.

--=20
Marko Cupa=C4=87
https://www.mimar.rs/