Date: Wed, 09 Sep 2015 09:21:24 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: freebsd-stable@freebsd.org Cc: Baptiste Daroussin <bapt@freebsd.org>, Marko =?utf-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs> Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <2724677.3oEEqWz8m7@hbsd-dev-laptop> In-Reply-To: <20150909085620.GF38185@ivaldir.etoilebsd.net> References: <20150908123838.238e5e74@efreet> <20150909091412.350c51ed@efreet> <20150909085620.GF38185@ivaldir.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote: > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupać wrote: > > On Tue, 8 Sep 2015 23:28:59 +0200 > > > > Baptiste Daroussin <bapt@FreeBSD.org> wrote: > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupać wrote: > > > > Hi, > > > > > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > > > with signature_type="pubkey". > > > > > > > > Quick search returns: > > > > https://github.com/freebsd/pkg/issues/1309 > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > > > > > > > I guess it is not hard to switch repo to fingerprints, however I > > > > would not expect to lose this functionality by updating to > > > > patchlevel. > > > > > > Implemented in head: r287579 I will MFC it asap. And see if it cannot > > > be added asap to a next patchlevel update. > > > > > > Best regards, > > > Bapt > > > > Thanx! > > > > Just a few quick not-completely-related questions: poudriere has the > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > > command, right? Is there a plan to support it? Can I build packages in > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > > external command? > > First yes I plan to add the ability to sign the package used to bootstrap > via PKG_REPO_SIGNING_KEY asap in poudriere. > > Second you can keep your current configuration of poudriere, the signing > with pubkey works perfectly well. All you need to do is either via a > poudriere post bulk hook or manually go in the directory where your > packages lives (in the Latest directory) and > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ > -binary -out ./pkg.txz.pubkeysig I can't find any documentation in neither Poudriere's manpage nor in poudriere.conf.sample on how toadd a post bulk hook. Is the signing_command option to `pkg repo` really only used in generating pkg.txz.sig? Is there any formal documentation about the cryptography design and architecture in relation to pkg's repositories? Thanks, -- Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJV8DJUAAoJEGqEZY9SRW7uOfcP/0SodYgEw60fXE43ilxc4WEX fVPQhjCAkmzUo3KKqqOBNfXbjVeyeWe/6aULYx07ihqOUmF9X37i6MXprY0w0pYO xJ1ytgIUyULc0Erluo8xcRs/yBYtuXh39cZGU34xfE7oD0UkyK+WZx2NT29cDt8K 7W+Rkzoimo1bxdKBGy8GPOgzvZH0A8QA6STy7XpuxVOkzJD1I3T47ZUd2qWCzcOa NEBbiBJ2pK6fgiE+C9j1+Q9S/wN47cMD2f4JqO8Jg6OcBTkWIRqh/XO2E6cEOYma 3XIrOfmyGP7jpa/pTFIEf4gMc3IFAAdiNyFV63gbUJ6Hcz6RenRyMsK8TVvAkajR ZGg6qjMwtLV20uDFVs9rHLTLXDYBwj6xOqMEA9yDONTI1CRKNn7w8j/SDCJg5NH2 9mGbh+RkjuZHD0GDUewXJ+KsM5rpGA+Slue5FZRP2JlrsFKckyy8G2GEgpxIzBG+ oIx3ziglB2YWwaITjU6FOeKJMy57F1XCh4E0ikTg6pe5Zk3t+83UgYAG6t+lOj5e DslYE3tp/wkgcRJ0+vOJpltrTUxQpXI+3hXqI4AMFDN0y1w6MIMo+JVYbT85Kaoe 9/aFipHkWIHajEOzJ1R8fAYu95PUDWBbVZn5vFBOKLSSLkx2lyDKAuvR3I6tv4FH qEBMkUj5Q3yiX1lfinZm =J3L5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2724677.3oEEqWz8m7>