10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
Marko Cupać
marko.cupac at mimar.rs
Tue Sep 8 14:48:18 UTC 2015
On Tue, 8 Sep 2015 15:38:02 +0200
Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> Marko Cupać <marko.cupac at mimar.rs> wrote:
>
> > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> > with signature_type="pubkey".
> >
> > Quick search returns:
> > https://github.com/freebsd/pkg/issues/1309
> > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622
> >
> > I guess it is not hard to switch repo to fingerprints, however I
> > would not expect to lose this functionality by updating to
> > patchlevel.
>
> The "functionality" pkg(7) "lost" is silently ignoring unsupported
> signature types which is dangerous if the network can't be trusted:
> https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc
> https://www.fabiankeil.de/gehacktes/hardenedbsd/
>
> If you absolutely want to, you can still bootstrap insecurely by
> temporarily setting the signature type to none.
I absolutely _don't_ want to bootstrap insecurely, and I am thankful to
people more skilled in security than me for discovering and fixing
vulnerabilities.
I'd like to have the ability to bootstrap from my repo securely, which
I thought I had.
I am trying to switch to fingerprints, but I need a little help.
On client, I have:
- changed signature_type to "fingerprints"
- pointed fingerprints to a directory
- created two subdirs, 'revoked' and 'trusted'
- inside trusted, created a file with 'function' and 'fingerprint'
But when I try to bootstrap, I get the following message:
pkg: Error fetching
http://pkg.example.com/packages/102amd64-default/Latest/pkg.txz.sig: Not Found
I am trying to follow example from pkg-repo(8) about creating and
signing repo with external command, but it does not work for me. To be
honest, I don't understand what exactly first command is supposed to
do. I guess it should create file similar to pkg.txz.sig on FreeBSD pkg
site, but it doesn't. Perhaps because I am using tcsh and not sh, but
switching to sh dosn't help either:
# On signing server:
% cat > sign.sh << EOF
#!/bin/sh
read -t 2 sum
[ -z "$sum" ] && exit 1
echo SIGNATURE
echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -binary
echo
echo CERT
cat repo.pub
echo END
EOF
The one who helps me figure this out can count on a few dozens of beers
when passing through Belgrade/Serbia.
--
Marko Cupać
https://www.mimar.rs/
More information about the freebsd-stable
mailing list