Re: signed packages documentation

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Thu, Jul 23, 2020 at 11:36:38AM -0400, Greg Troxel wrote:
>   pkg_create does not say anything about signed packages.  Most of the
>   following probably should be addressed in pkg_create(1).

pkg_create doesn't deal with signed packages.

>   pkg_install.conf mentions "GPG_SIGN_AS" as a config variable.  It
>   doesn't speak to where the key is, or what program is used to sign.
>   We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.

Read again? There are four paragraphs above that variable...

>   There is no explanation of whether or not one can create a package,
>   and sign it later, or if this can be done only at creation time.

See first item.

>   There is no real explanation of how to come up with a keypair and how
>   to produce the bits needed for validation.  (Only needs to be
>   understanable by people that have used openpgp and basically
>   understand, in my view.)

This doesn't even make sense to me.

>   Building packages and signing them as an automated process seems to
>   require a key without a passphrase or gpg-agent.  This isn't explained
>   at all.  It seems obvious that gpg-agent is preferred to a key without
>   a passphrase.

Those are two options. The third option is to upload to a second system
and do the signing on that one, so that the key material is not
available to the build environment at all.

>   There is some notion of certificate chains, and it is not clear if
>   there is any provision for including these in a signed package,
>   similar to have pkix sends a cert chain for TLS.

There are two models for signing supported, using PGP signatures and
using x509 signatures. Certificate chains are used for the later.

Joerg