[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Experimental packages [was: [PATCH] Added support for creating signed binary packages directly]
- To: edgebsd-developers@xxxxxxxxxxxxxxxxx
- Subject: Experimental packages [was: [PATCH] Added support for creating signed binary packages directly]
- From: Pierre Pronchery <khorben@xxxxxxxxxxx>
- Date: Sun, 01 Sep 2013 02:40:47 +0200
- Delivered-to: edgebsd-developers@xxxxxxxxxxxxxxxxx
- In-reply-to: <521FDEAD.5060102@xxxxxxxxxxx>
- Organization: The EdgeBSD Project
- References: <20130829233415.72DFA19C00@xxxxxxxxxxxxxxxx> <521FDEAD.5060102@xxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; NetBSD amd64; rv:17.0) Gecko/20130810 Thunderbird/17.0.8
Hello there, On 30/08/2013 01:52, Pierre Pronchery wrote: > [...] > Anyway, what I really mean to say is: > - I have created a "khorben-signing" branch for edgebsd-pkgsrc; > - it includes the patch below; > - this patch allows me to create signed binary packages from pkgsrc. > > Although also supporting X509-based signatures, I have only tested > GPG-based signatures so far - and it seems to work. > > So yeah, I think this is good news, and I am busy preparing a first > batch of signed, binary packages for EdgeBSD so as to properly get this > tested for not just me. I have built and uploaded a first few packages there: ftp://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/amd64/EdgeBSD-6/pkgsrc-2013Q2/All (you may have to allow for a DNS update; it should alias to altar.edgebsd.org) They were built with "/usr/pkg" as the prefix (like by default on NetBSD) but as an unprivileged user; as a consequence, installing them as root (privileged) doesn't work exactly like expected: - package files are extracted with the privileges of the unprivileged user (which will likely collide with existing user and group IDs) - /usr/pkg/var is used instead of /var for package data (meta-data should be in /var/db/pkg as usual) Do not forget to: > add this to pkg_install.conf: > GPG=/path/to/bin/gpg > VERIFIED_INSTALLATIONS=always to ensure that package signatures will be verified upon installation. You will also need to import the GPG key; as root: # gpg --recv-key 6F3AF5E2 > I am still working on checking that the packages are properly verified. Apparently they are *not* verified as strictly as could be, see: http://mail-index.netbsd.org/pkgsrc-users/2013/08/30/msg018513.html « it seems that the current behavior is "the package is trusted if the key is known and the signature is good". That's certainly not satisfying, because "I trust this key to be originating from this person" does not mean "I trust whichever packages from this person". The GPG_KEYRING_VERIFY variable can be (ab)used to emulate this though. » I have experienced additional issues. 1. Installing from a remote URL failed: # export PKG_PATH=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/amd64/EdgeBSD-6/pkgsrc-2013Q2/All # pkg_add bash gpg: Signature made Fri Aug 30 13:46:37 2013 UTC using RSA key ID 6F3AF5E2 gpg: Good signature from "EdgeBSD packages <root@xxxxxxxxxxx>" pkg_add: 1 package addition failed 2. When installing locally with pkg_install from 6.1_STABLE: I had to install dependencies manually for each package. This is maybe fixed in pkg_install from pkgsrc already (I haven't built this package yet though). Do not hesitate if you have any additional questions. HTH, -- khorben > On 30/08/2013 01:26, Pierre Pronchery wrote: >> --- >> mk/defaults/mk.conf | 15 +++++++++++++++ >> mk/pkgformat/pkg/package.mk | 12 ++++++++++++ >> 2 files changed, 27 insertions(+), 0 deletions(-) >> >> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf >> index 46b89a2..86e4f06 100644 >> --- a/mk/defaults/mk.conf >> +++ b/mk/defaults/mk.conf >> @@ -60,6 +60,21 @@ GZIP?= -9 >> # Possible: not defined, no >> # Default: yes >> >> +#SIGN_PACKAGES= >> +# sign the packages generated (when supported) with the method specified. >> +# Possible: gpg, x509, not defined >> +# Default: not defined >> + >> +#X509_KEY= >> +# key to use when signing packages with an X509 certificate. >> +# Possible: pathname to the key file, not defined >> +# Default: not defined >> + >> +#X509_CERTIFICATE= >> +# certificate to use when signing packages with an X509 certificate. >> +# Possible: pathname to the X509 certificate, not defined >> +# Default: not defined >> + >> #OBJHOSTNAME= >> # use hostname-specific object directories, e.g. work.amnesiac, work.localhost >> # OBJHOSTNAME takes precedence over OBJMACHINE (see below). >> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk >> index bfbfe57..3a0175b 100644 >> --- a/mk/pkgformat/pkg/package.mk >> +++ b/mk/pkgformat/pkg/package.mk >> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS} >> fi >> >> .if ${_USE_DESTDIR} != "no" >> +.if !empty(SIGN_PACKAGES:Mgpg) >> +${PKGFILE}: ${STAGE_PKGFILE} >> + ${RUN} ${MKDIR} ${.TARGET:H} >> + @${STEP_MSG} "Creating signed binary package ${.TARGET}" >> + ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE} >> +.elif !empty(SIGN_PACKAGES:Mx509) >> +${PKGFILE}: ${STAGE_PKGFILE} >> + ${RUN} ${MKDIR} ${.TARGET:H} >> + @${STEP_MSG} "Creating signed binary package ${.TARGET}" >> + ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} ${X509_CERTIFICATE} >> +.else >> ${PKGFILE}: ${STAGE_PKGFILE} >> ${RUN} ${MKDIR} ${.TARGET:H} >> @${STEP_MSG} "Creating binary package ${.TARGET}" >> ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ >> ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE} >> .endif >> +.endif >> >> ###################################################################### >> ### package-remove (PRIVATE) -- khorben
- Prev by Date: Mailing-list archives available
- Next by Date: pkgsrc-2013Q1 as "stable" [was: The modular Xorg situation]
- Previous by thread: Mailing-list archives available
- Next by thread: pkgsrc-2013Q1 as "stable" [was: The modular Xorg situation]
- Index(es):