pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Creating signed binary packages with pkgsrc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everyone,
I am currently investigating providing signed binary packages for
NetBSD through the EdgeBSD platform, and glad to say that this is
currently on a good track.
The following patch allows me to do so, at least with GPG:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9
(attached here too)
Quick howto:
add this to mk.conf:
SIGN_PACKAGES=gpg
or for X509:
SIGN_PACKAGES=x509
X509_KEY=/path/to/the/key
X509_CERTIFICATE=/path/to/the/certificate
add this to pkg_install.conf:
GPG=/path/to/bin/gpg
GPG_SIGN_AS=your-user-id
VERIFIED_INSTALLATIONS=always
With these set and the patch applied, packages should be signed
automatically, eg:
$ bmake package
[...]
/home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
gpg-sign-package
/home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
/home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz
You need a passphrase to unlock the secret key for
user: "EdgeBSD Packages <root%edgebsd.org@localhost>"
4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29
...and then the package can be installed as expected.
I am still working on checking that the packages are properly verified.
HTH,
- --
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (NetBSD)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJSH+P1AAoJEDA4y9uYhpcDXQsP/RYqmFiY8VDziY3yn/YFz/9l
Seshtt1cZg7I+M3qx6axsOEwJRfOpKEwQpvKd5vV1M7veL+2sCW4YX5+CkxByRKf
GF1Nrwgo6UrA5QiB4qZZ8Jgr1/D3QKEx0DkrfdwwH+MRYJh1BOypop3ImQixRzNV
nSKq9fsac1H7I5883IRdr9+LcnzaGfd6xNnUIZ3Y1cr90v336teW/6BwBUFpGfrh
4tiHxpdsB6mbFHQdKEJuuM4Dny5jA3/1KsB+ZhhQkVA2ZZjmRkSEX0jgifuXkLLb
WwIvhs9T03JqYR2S9WtWe6rZ8GEyRu/bOZqf+d/M93dcG65r+obc5IVwNWXiT8wD
0Yx9mOHAzhO4jpbOZ0GfINluqtD0E+xvqbSzAHyHFoaZbgy8EHGS4R9hniprJ2Iv
1UFuqhP7U2H+vx5lGmOG3qglx2hlpu14+mSf1bvFWBHHB6E1PBFelUMxm8nCn/m7
tSHl74IhtzWBSMxyDJqoasZgs1BzGh5P8lW73KcBGNs2oN7leizDhY14cCG4LEKp
+Axh/wPWw+AooR1QC2QRbtlP9iBcty7HrzMk/hgHeHBRJGAqMao/Z8WIEADVuIzZ
MTH4/JrFgrfGYMd5wuXjvv0++fsQdczpYAUFkGu8nl862j7I2EKCYXAZ+Bd5avti
KjUMW81FobHyewjAuxvZ
=VtCT
-----END PGP SIGNATURE-----
From b2ad0ec7e434d221d92218c52b18558a825f5ec9 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 30 Aug 2013 01:26:23 +0200
Subject: [PATCH] Added support for creating signed binary packages directly
---
mk/defaults/mk.conf | 15 +++++++++++++++
mk/pkgformat/pkg/package.mk | 12 ++++++++++++
2 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 46b89a2..86e4f06 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -60,6 +60,21 @@ GZIP?= -9
# Possible: not defined, no
# Default: yes
+#SIGN_PACKAGES=
+# sign the packages generated (when supported) with the method specified.
+# Possible: gpg, x509, not defined
+# Default: not defined
+
+#X509_KEY=
+# key to use when signing packages with an X509 certificate.
+# Possible: pathname to the key file, not defined
+# Default: not defined
+
+#X509_CERTIFICATE=
+# certificate to use when signing packages with an X509 certificate.
+# Possible: pathname to the X509 certificate, not defined
+# Default: not defined
+
#OBJHOSTNAME=
# use hostname-specific object directories, e.g. work.amnesiac, work.localhost
# OBJHOSTNAME takes precedence over OBJMACHINE (see below).
diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
index bfbfe57..3a0175b 100644
--- a/mk/pkgformat/pkg/package.mk
+++ b/mk/pkgformat/pkg/package.mk
@@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
fi
.if ${_USE_DESTDIR} != "no"
+.if !empty(SIGN_PACKAGES:Mgpg)
+${PKGFILE}: ${STAGE_PKGFILE}
+ ${RUN} ${MKDIR} ${.TARGET:H}
+ @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+ ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
+.elif !empty(SIGN_PACKAGES:Mx509)
+${PKGFILE}: ${STAGE_PKGFILE}
+ ${RUN} ${MKDIR} ${.TARGET:H}
+ @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+ ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY}
${X509_CERTIFICATE}
+.else
${PKGFILE}: ${STAGE_PKGFILE}
${RUN} ${MKDIR} ${.TARGET:H}
@${STEP_MSG} "Creating binary package ${.TARGET}"
${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
.endif
+.endif
######################################################################
### package-remove (PRIVATE)
--
1.7.2.5
Home |
Main Index |
Thread Index |
Old Index