10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
Baptiste Daroussin
bapt at freebsd.org
Wed Sep 9 13:27:24 UTC 2015
On Wed, Sep 09, 2015 at 09:21:24AM -0400, Shawn Webb wrote:
> On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote:
> > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupać wrote:
> > > On Tue, 8 Sep 2015 23:28:59 +0200
> > >
> > > Baptiste Daroussin <bapt at FreeBSD.org> wrote:
> > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupać wrote:
> > > > > Hi,
> > > > >
> > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> > > > > with signature_type="pubkey".
> > > > >
> > > > > Quick search returns:
> > > > > https://github.com/freebsd/pkg/issues/1309
> > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622
> > > > >
> > > > > I guess it is not hard to switch repo to fingerprints, however I
> > > > > would not expect to lose this functionality by updating to
> > > > > patchlevel.
> > > >
> > > > Implemented in head: r287579 I will MFC it asap. And see if it cannot
> > > > be added asap to a next patchlevel update.
> > > >
> > > > Best regards,
> > > > Bapt
> > >
> > > Thanx!
> > >
> > > Just a few quick not-completely-related questions: poudriere has the
> > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external
> > > command, right? Is there a plan to support it? Can I build packages in
> > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with
> > > external command?
> >
> > First yes I plan to add the ability to sign the package used to bootstrap
> > via PKG_REPO_SIGNING_KEY asap in poudriere.
> >
> > Second you can keep your current configuration of poudriere, the signing
> > with pubkey works perfectly well. All you need to do is either via a
> > poudriere post bulk hook or manually go in the directory where your
> > packages lives (in the Latest directory) and
> > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \
> > -binary -out ./pkg.txz.pubkeysig
>
> I can't find any documentation in neither Poudriere's manpage nor in
> poudriere.conf.sample on how toadd a post bulk hook.
>
> Is the signing_command option to `pkg repo` really only used in generating
> pkg.txz.sig? Is there any formal documentation about the cryptography design
> and architecture in relation to pkg's repositories?
>
> Thanks,
This is the doc we have on hooks:
https://github.com/freebsd/poudriere/wiki/hooks
Would be nice to get more stuff in there :)
Best regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150909/4168f01b/attachment.bin>
More information about the freebsd-stable
mailing list