Re: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly

[Pierre Pronchery <khorben@xxxxxxxxxxx>]

Oops, sorry for the duplicate e-mail, still figuring out how to
efficiently send a patch by e-mail from Git...

I did this basically:
$ sendmail edgebsd-developers@xxxxxxxxxxxxxxxxx <
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9

Anyway, what I really mean to say is:
- I have created a "khorben-signing" branch for edgebsd-pkgsrc;
- it includes the patch below;
- this patch allows me to create signed binary packages from pkgsrc.

Although also supporting X509-based signatures, I have only tested
GPG-based signatures so far - and it seems to work.

So yeah, I think this is good news, and I am busy preparing a first
batch of signed, binary packages for EdgeBSD so as to properly get this
tested for not just me.

Quick howto:

add this to mk.conf:
SIGN_PACKAGES=gpg

or for X509:
SIGN_PACKAGES=x509
X509_KEY=/path/to/the/key
X509_CERTIFICATE=/path/to/the/certificate

add this to pkg_install.conf:
GPG=/path/to/bin/gpg
GPG_SIGN_AS=your-user-id
VERIFIED_INSTALLATIONS=always

With these set and the patch applied, packages should be signed
automatically, eg:
/home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
gpg-sign-package
/home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
/home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz

You need a passphrase to unlock the secret key for
user: "EdgeBSD Packages <root@xxxxxxxxxxx>"
4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29

...and then the package can be installed as expected.

I am still working on checking that the packages are properly verified.

HTH,
-- khorben

On 30/08/2013 01:26, Pierre Pronchery wrote:
> ---
>  mk/defaults/mk.conf         |   15 +++++++++++++++
>  mk/pkgformat/pkg/package.mk |   12 ++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)
> 
> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
> index 46b89a2..86e4f06 100644
> --- a/mk/defaults/mk.conf
> +++ b/mk/defaults/mk.conf
> @@ -60,6 +60,21 @@ GZIP?=	-9
>  # Possible: not defined, no
>  # Default: yes
>  
> +#SIGN_PACKAGES=
> +# sign the packages generated (when supported) with the method specified.
> +# Possible: gpg, x509, not defined
> +# Default: not defined
> +
> +#X509_KEY=
> +# key to use when signing packages with an X509 certificate.
> +# Possible: pathname to the key file, not defined
> +# Default: not defined
> +
> +#X509_CERTIFICATE=
> +# certificate to use when signing packages with an X509 certificate.
> +# Possible: pathname to the X509 certificate, not defined
> +# Default: not defined
> +
>  #OBJHOSTNAME=
>  # use hostname-specific object directories, e.g.  work.amnesiac, work.localhost
>  # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
> index bfbfe57..3a0175b 100644
> --- a/mk/pkgformat/pkg/package.mk
> +++ b/mk/pkgformat/pkg/package.mk
> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
>  	fi
>  
>  .if ${_USE_DESTDIR} != "no"
> +.if !empty(SIGN_PACKAGES:Mgpg)
> +${PKGFILE}: ${STAGE_PKGFILE}
> +	${RUN} ${MKDIR} ${.TARGET:H}
> +	@${STEP_MSG} "Creating signed binary package ${.TARGET}"
> +	${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
> +.elif !empty(SIGN_PACKAGES:Mx509)
> +${PKGFILE}: ${STAGE_PKGFILE}
> +	${RUN} ${MKDIR} ${.TARGET:H}
> +	@${STEP_MSG} "Creating signed binary package ${.TARGET}"
> +	${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} ${X509_CERTIFICATE}
> +.else
>  ${PKGFILE}: ${STAGE_PKGFILE}
>  	${RUN} ${MKDIR} ${.TARGET:H}
>  	@${STEP_MSG} "Creating binary package ${.TARGET}"
>  	${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
>  		${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
>  .endif
> +.endif
>  
>  ######################################################################
>  ### package-remove (PRIVATE)

-- 
khorben



EdgeBSD developers <edgebsd-developers@xxxxxxxxxxxxxxxxx>