[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- To: edgebsd-developers@xxxxxxxxxxxxxxxxx
- Subject: Re: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- From: Pierre Pronchery <khorben@xxxxxxxxxxx>
- Date: Fri, 30 Aug 2013 01:52:13 +0200
- Delivered-to: edgebsd-developers@xxxxxxxxxxxxxxxxx
- In-reply-to: <20130829233415.72DFA19C00@xxxxxxxxxxxxxxxx>
- List-archive: http://lists.edgebsd.org/edgebsd-developers/
- List-help: <mailto:minimalist@lists.edgebsd.org?subject=help>
- List-id: <edgebsd-developers.lists.edgebsd.org>
- List-owner: <mailto:edgebsd-developers-owner@lists.edgebsd.org>
- List-post: <mailto:edgebsd-developers@lists.edgebsd.org>
- List-subscribe: <mailto:minimalist@lists.edgebsd.org?subject=subscribe%20edgebsd-developers>
- List-unsubscribe: <mailto:minimalist@lists.edgebsd.org?subject=unsubscribe%20edgebsd-developers>
- Organization: The EdgeBSD Project
- References: <20130829233415.72DFA19C00@xxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; NetBSD amd64; rv:17.0) Gecko/20130810 Thunderbird/17.0.8
Oops, sorry for the duplicate e-mail, still figuring out how to efficiently send a patch by e-mail from Git... I did this basically: $ sendmail edgebsd-developers@xxxxxxxxxxxxxxxxx < http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9 Anyway, what I really mean to say is: - I have created a "khorben-signing" branch for edgebsd-pkgsrc; - it includes the patch below; - this patch allows me to create signed binary packages from pkgsrc. Although also supporting X509-based signatures, I have only tested GPG-based signatures so far - and it seems to work. So yeah, I think this is good news, and I am busy preparing a first batch of signed, binary packages for EdgeBSD so as to properly get this tested for not just me. Quick howto: add this to mk.conf: SIGN_PACKAGES=gpg or for X509: SIGN_PACKAGES=x509 X509_KEY=/path/to/the/key X509_CERTIFICATE=/path/to/the/certificate add this to pkg_install.conf: GPG=/path/to/bin/gpg GPG_SIGN_AS=your-user-id VERIFIED_INSTALLATIONS=always With these set and the patch applied, packages should be signed automatically, eg: /home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg gpg-sign-package /home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz /home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz You need a passphrase to unlock the secret key for user: "EdgeBSD Packages <root@xxxxxxxxxxx>" 4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29 ...and then the package can be installed as expected. I am still working on checking that the packages are properly verified. HTH, -- khorben On 30/08/2013 01:26, Pierre Pronchery wrote: > --- > mk/defaults/mk.conf | 15 +++++++++++++++ > mk/pkgformat/pkg/package.mk | 12 ++++++++++++ > 2 files changed, 27 insertions(+), 0 deletions(-) > > diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf > index 46b89a2..86e4f06 100644 > --- a/mk/defaults/mk.conf > +++ b/mk/defaults/mk.conf > @@ -60,6 +60,21 @@ GZIP?= -9 > # Possible: not defined, no > # Default: yes > > +#SIGN_PACKAGES= > +# sign the packages generated (when supported) with the method specified. > +# Possible: gpg, x509, not defined > +# Default: not defined > + > +#X509_KEY= > +# key to use when signing packages with an X509 certificate. > +# Possible: pathname to the key file, not defined > +# Default: not defined > + > +#X509_CERTIFICATE= > +# certificate to use when signing packages with an X509 certificate. > +# Possible: pathname to the X509 certificate, not defined > +# Default: not defined > + > #OBJHOSTNAME= > # use hostname-specific object directories, e.g. work.amnesiac, work.localhost > # OBJHOSTNAME takes precedence over OBJMACHINE (see below). > diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk > index bfbfe57..3a0175b 100644 > --- a/mk/pkgformat/pkg/package.mk > +++ b/mk/pkgformat/pkg/package.mk > @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS} > fi > > .if ${_USE_DESTDIR} != "no" > +.if !empty(SIGN_PACKAGES:Mgpg) > +${PKGFILE}: ${STAGE_PKGFILE} > + ${RUN} ${MKDIR} ${.TARGET:H} > + @${STEP_MSG} "Creating signed binary package ${.TARGET}" > + ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE} > +.elif !empty(SIGN_PACKAGES:Mx509) > +${PKGFILE}: ${STAGE_PKGFILE} > + ${RUN} ${MKDIR} ${.TARGET:H} > + @${STEP_MSG} "Creating signed binary package ${.TARGET}" > + ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} ${X509_CERTIFICATE} > +.else > ${PKGFILE}: ${STAGE_PKGFILE} > ${RUN} ${MKDIR} ${.TARGET:H} > @${STEP_MSG} "Creating binary package ${.TARGET}" > ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ > ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE} > .endif > +.endif > > ###################################################################### > ### package-remove (PRIVATE) -- khorben EdgeBSD developers <edgebsd-developers@xxxxxxxxxxxxxxxxx>
- References:
- [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- From: Pierre Pronchery
- [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- Prev by Date: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- Previous by thread: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- Next by thread: [edgebsd-developers] [PATCH] Added support for creating signed binary packages directly
- Index(es):