pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Creating signed binary packages with pkgsrc
Nice work!
Some random thoughts:
1. the old pkg_add had signed package support via pkg_add -S pkg...
It was added in 2001. Whilst I think that pkg_add is the right place
to put verification, it was done through a callout to gpg. Joerg tells
me there's still support in pkg_add for gpg --detach-sign, though, and
unfortunately netpgp's --detach is the corresponding argument.
2. pkg_admin has done pgp and x.509 sigs since 2007 or 2008.
3. if you're doing verification of any signed packages, take a look
at pkgsrc/security/libnetpgpverify. It has zero dependencies, and is
fairly small in size. That's why I added it.
4. For your signing, signing in-line may not be the best way to do it.
I can think of numerous bulk build setups which would build the packages
first, and then have the packages signed in bulk at the end. The alternative
is passphrase-less keys, again not good.
5. What do you do if you have a package which isn't signed? Should
pkg_add warn, and add it; should it warn, and not add it; should it
fail visibly; should it not care? Policy decisions, decisions,
decisions (a problem seen in production in a previous life)...
Oh, and GPG is just one (GPLed) implementation of PGP, RFC 4880. I'd
hate to think we put the wrong acronym into any definition.
When I did the signing support originally, though, signing the package
was the least onerous part of the work. The main part is getting buy-in
from everyone to sign packages, and for widespread adoption. I do think
the situation has changed in 12 years, though.
Best,
Alistair
On Fri, Aug 30, 2013 at 02:14:46AM +0200, Pierre Pronchery wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone,
>
> I am currently investigating providing signed binary packages for
> NetBSD through the EdgeBSD platform, and glad to say that this is
> currently on a good track.
>
> The following patch allows me to do so, at least with GPG:
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9
> (attached here too)
>
> Quick howto:
>
> add this to mk.conf:
> SIGN_PACKAGES=gpg
>
> or for X509:
> SIGN_PACKAGES=x509
> X509_KEY=/path/to/the/key
> X509_CERTIFICATE=/path/to/the/certificate
>
> add this to pkg_install.conf:
> GPG=/path/to/bin/gpg
> GPG_SIGN_AS=your-user-id
> VERIFIED_INSTALLATIONS=always
>
> With these set and the patch applied, packages should be signed
> automatically, eg:
> $ bmake package
> [...]
> /home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
> gpg-sign-package
> /home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
> /home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz
>
> You need a passphrase to unlock the secret key for
> user: "EdgeBSD Packages <root%edgebsd.org@localhost>"
> 4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29
>
> ...and then the package can be installed as expected.
>
> I am still working on checking that the packages are properly verified.
>
> HTH,
> - --
> khorben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (NetBSD)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSH+P1AAoJEDA4y9uYhpcDXQsP/RYqmFiY8VDziY3yn/YFz/9l
> Seshtt1cZg7I+M3qx6axsOEwJRfOpKEwQpvKd5vV1M7veL+2sCW4YX5+CkxByRKf
> GF1Nrwgo6UrA5QiB4qZZ8Jgr1/D3QKEx0DkrfdwwH+MRYJh1BOypop3ImQixRzNV
> nSKq9fsac1H7I5883IRdr9+LcnzaGfd6xNnUIZ3Y1cr90v336teW/6BwBUFpGfrh
> 4tiHxpdsB6mbFHQdKEJuuM4Dny5jA3/1KsB+ZhhQkVA2ZZjmRkSEX0jgifuXkLLb
> WwIvhs9T03JqYR2S9WtWe6rZ8GEyRu/bOZqf+d/M93dcG65r+obc5IVwNWXiT8wD
> 0Yx9mOHAzhO4jpbOZ0GfINluqtD0E+xvqbSzAHyHFoaZbgy8EHGS4R9hniprJ2Iv
> 1UFuqhP7U2H+vx5lGmOG3qglx2hlpu14+mSf1bvFWBHHB6E1PBFelUMxm8nCn/m7
> tSHl74IhtzWBSMxyDJqoasZgs1BzGh5P8lW73KcBGNs2oN7leizDhY14cCG4LEKp
> +Axh/wPWw+AooR1QC2QRbtlP9iBcty7HrzMk/hgHeHBRJGAqMao/Z8WIEADVuIzZ
> MTH4/JrFgrfGYMd5wuXjvv0++fsQdczpYAUFkGu8nl862j7I2EKCYXAZ+Bd5avti
> KjUMW81FobHyewjAuxvZ
> =VtCT
> -----END PGP SIGNATURE-----
> >From b2ad0ec7e434d221d92218c52b18558a825f5ec9 Mon Sep 17 00:00:00 2001
> From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
> Date: Fri, 30 Aug 2013 01:26:23 +0200
> Subject: [PATCH] Added support for creating signed binary packages directly
>
> ---
> mk/defaults/mk.conf | 15 +++++++++++++++
> mk/pkgformat/pkg/package.mk | 12 ++++++++++++
> 2 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
> index 46b89a2..86e4f06 100644
> --- a/mk/defaults/mk.conf
> +++ b/mk/defaults/mk.conf
> @@ -60,6 +60,21 @@ GZIP?= -9
> # Possible: not defined, no
> # Default: yes
>
> +#SIGN_PACKAGES=
> +# sign the packages generated (when supported) with the method specified.
> +# Possible: gpg, x509, not defined
> +# Default: not defined
> +
> +#X509_KEY=
> +# key to use when signing packages with an X509 certificate.
> +# Possible: pathname to the key file, not defined
> +# Default: not defined
> +
> +#X509_CERTIFICATE=
> +# certificate to use when signing packages with an X509 certificate.
> +# Possible: pathname to the X509 certificate, not defined
> +# Default: not defined
> +
> #OBJHOSTNAME=
> # use hostname-specific object directories, e.g. work.amnesiac,
> work.localhost
> # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
> index bfbfe57..3a0175b 100644
> --- a/mk/pkgformat/pkg/package.mk
> +++ b/mk/pkgformat/pkg/package.mk
> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
> fi
>
> .if ${_USE_DESTDIR} != "no"
> +.if !empty(SIGN_PACKAGES:Mgpg)
> +${PKGFILE}: ${STAGE_PKGFILE}
> + ${RUN} ${MKDIR} ${.TARGET:H}
> + @${STEP_MSG} "Creating signed binary package ${.TARGET}"
> + ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
> +.elif !empty(SIGN_PACKAGES:Mx509)
> +${PKGFILE}: ${STAGE_PKGFILE}
> + ${RUN} ${MKDIR} ${.TARGET:H}
> + @${STEP_MSG} "Creating signed binary package ${.TARGET}"
> + ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY}
> ${X509_CERTIFICATE}
> +.else
> ${PKGFILE}: ${STAGE_PKGFILE}
> ${RUN} ${MKDIR} ${.TARGET:H}
> @${STEP_MSG} "Creating binary package ${.TARGET}"
> ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
> ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
> .endif
> +.endif
>
> ######################################################################
> ### package-remove (PRIVATE)
> --
> 1.7.2.5
>
Home |
Main Index |
Thread Index |
Old Index