tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Signed binary pkgs setup



Martin Husemann <martin%duskware.de@localhost> writes:

> Unfortunately it seems like gpg signed pkgs is no option here, unless someone
> can describe a concept where we download the pkgbuild trust anchor key
> from the root of the binary pkg repository and "somehow" automatically verify
> this key against a master key that got installed with the system (and w/o
> administrative overload for whoever has to sign the individual pkgbuilder
> keys). The recursive chain of trust in x509 seems to be a good fit here
> (even though noone really likes x509).

OpenPGP has the same chain concept, with knobs to configure.   But, I
don't see why one can't:

  create a TNF-controlled (you with someone as backup) PGP key intended
  to be used over a long time (at least 5 years), and kept offline, as
  the TNF release signing CA key

  put the public part of this key into the distribution, and publish it

  Keep a file of public keys authorized to sign packages and put it on
  cdn.netbsd.org.  Update it as needed, and get a signature from the CA key

  Write a script to download the signed keyfile, validate the signature,
  and put it in a keyring to be used for validating packages

That amounts to the same thing as x509, except it's a bit of work, and
it might differ in not trusting 100 Root CAs out there.

It could probably also be done with config options to trust one valid
signature from the CA key, marked trusted, and only one hop.

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index