[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Experimental packages [was: [PATCH] Added support for creating signed binary packages directly]



			Hello there,

On 30/08/2013 01:52, Pierre Pronchery wrote:
> [...]
> Anyway, what I really mean to say is:
> - I have created a "khorben-signing" branch for edgebsd-pkgsrc;
> - it includes the patch below;
> - this patch allows me to create signed binary packages from pkgsrc.
> 
> Although also supporting X509-based signatures, I have only tested
> GPG-based signatures so far - and it seems to work.
> 
> So yeah, I think this is good news, and I am busy preparing a first
> batch of signed, binary packages for EdgeBSD so as to properly get this
> tested for not just me.

I have built and uploaded a first few packages there:
ftp://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/amd64/EdgeBSD-6/pkgsrc-2013Q2/All
(you may have to allow for a DNS update; it should alias to
altar.edgebsd.org)

They were built with "/usr/pkg" as the prefix (like by default on
NetBSD) but as an unprivileged user; as a consequence, installing them
as root (privileged) doesn't work exactly like expected:
- package files are extracted with the privileges of the unprivileged
  user (which will likely collide with existing user and group IDs)
- /usr/pkg/var is used instead of /var for package data (meta-data
  should be in /var/db/pkg as usual)

Do not forget to:

> add this to pkg_install.conf:
> GPG=/path/to/bin/gpg
> VERIFIED_INSTALLATIONS=always

to ensure that package signatures will be verified upon installation.

You will also need to import the GPG key; as root:
# gpg --recv-key 6F3AF5E2

> I am still working on checking that the packages are properly verified.

Apparently they are *not* verified as strictly as could be, see:
http://mail-index.netbsd.org/pkgsrc-users/2013/08/30/msg018513.html

« it seems that the current behavior is "the package is trusted if the
key is known and the signature is good". That's certainly not
satisfying, because "I trust this key to be originating from this
person" does not mean "I trust whichever packages from this person". The
GPG_KEYRING_VERIFY variable can be (ab)used to emulate this though. »

I have experienced additional issues.

1. Installing from a remote URL failed:
# export
PKG_PATH=ftp://ftp.edgebsd.org/pub/pkgsrc/packages/EdgeBSD/amd64/EdgeBSD-6/pkgsrc-2013Q2/All
# pkg_add bash
gpg: Signature made Fri Aug 30 13:46:37 2013 UTC using RSA key ID 6F3AF5E2
gpg: Good signature from "EdgeBSD packages <root@xxxxxxxxxxx>"
pkg_add: 1 package addition failed

2. When installing locally with pkg_install from 6.1_STABLE: I had to
install dependencies manually for each package. This is maybe fixed in
pkg_install from pkgsrc already (I haven't built this package yet though).

Do not hesitate if you have any additional questions.

HTH,
-- khorben

> On 30/08/2013 01:26, Pierre Pronchery wrote:
>> ---
>>  mk/defaults/mk.conf         |   15 +++++++++++++++
>>  mk/pkgformat/pkg/package.mk |   12 ++++++++++++
>>  2 files changed, 27 insertions(+), 0 deletions(-)
>>
>> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
>> index 46b89a2..86e4f06 100644
>> --- a/mk/defaults/mk.conf
>> +++ b/mk/defaults/mk.conf
>> @@ -60,6 +60,21 @@ GZIP?=	-9
>>  # Possible: not defined, no
>>  # Default: yes
>>  
>> +#SIGN_PACKAGES=
>> +# sign the packages generated (when supported) with the method specified.
>> +# Possible: gpg, x509, not defined
>> +# Default: not defined
>> +
>> +#X509_KEY=
>> +# key to use when signing packages with an X509 certificate.
>> +# Possible: pathname to the key file, not defined
>> +# Default: not defined
>> +
>> +#X509_CERTIFICATE=
>> +# certificate to use when signing packages with an X509 certificate.
>> +# Possible: pathname to the X509 certificate, not defined
>> +# Default: not defined
>> +
>>  #OBJHOSTNAME=
>>  # use hostname-specific object directories, e.g.  work.amnesiac, work.localhost
>>  # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
>> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
>> index bfbfe57..3a0175b 100644
>> --- a/mk/pkgformat/pkg/package.mk
>> +++ b/mk/pkgformat/pkg/package.mk
>> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
>>  	fi
>>  
>>  .if ${_USE_DESTDIR} != "no"
>> +.if !empty(SIGN_PACKAGES:Mgpg)
>> +${PKGFILE}: ${STAGE_PKGFILE}
>> +	${RUN} ${MKDIR} ${.TARGET:H}
>> +	@${STEP_MSG} "Creating signed binary package ${.TARGET}"
>> +	${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
>> +.elif !empty(SIGN_PACKAGES:Mx509)
>> +${PKGFILE}: ${STAGE_PKGFILE}
>> +	${RUN} ${MKDIR} ${.TARGET:H}
>> +	@${STEP_MSG} "Creating signed binary package ${.TARGET}"
>> +	${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} ${X509_CERTIFICATE}
>> +.else
>>  ${PKGFILE}: ${STAGE_PKGFILE}
>>  	${RUN} ${MKDIR} ${.TARGET:H}
>>  	@${STEP_MSG} "Creating binary package ${.TARGET}"
>>  	${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
>>  		${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
>>  .endif
>> +.endif
>>  
>>  ######################################################################
>>  ### package-remove (PRIVATE)

-- 
khorben