On Thu, Jul 23, 2020 at 03:24:16PM -0400, Greg Troxel wrote:
> Joerg Sonnenberger <joerg%bec.de@localhost> writes:
>
> > On Thu, Jul 23, 2020 at 11:36:38AM -0400, Greg Troxel wrote:
> >> pkg_install.conf mentions "GPG_SIGN_AS" as a config variable. It
> >> doesn't speak to where the key is, or what program is used to sign.
> >> We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.
> >
> > Read again? There are four paragraphs above that variable...
>
> So is netpgp in the picture at all? Or is it usable as a "GPG" program
> (which it isn't, but it looks like it is intended to be
> argument-compatible)?
It is used for the verification, but couldn't do the signing for some
reasons that I forgot.
netpgp was designed to NOT have the same interface as gpg, for obvious reasons.
It can be used for signing individual packages just fine. I purposely did not write an
agent for it, because... well, these things need careful management, even with a limited
key pair, or you could have someone signing any old thing that's passed its way.
I gave khorben a shell script at the Malta Eurobsdcon (which i guess was 2013), which
will do individual package signing (of an already built binary package), and he showed some
improvements he'd made to it at last year's pkgsrccon in Cambridge. You'll need to ask
him for more background on it, it's been a while since I looked at it. The script could be made
to sign a directory of binary packages (using the fd to pass the passphrase to the signer netpgp instance),
but you'll need to ask khorben what he's done.