Marko Cupać
2015-Sep-09 07:14 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
On Tue, 8 Sep 2015 23:28:59 +0200 Baptiste Daroussin <bapt at FreeBSD.org> wrote:> On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa? wrote: > > Hi, > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > with signature_type="pubkey". > > > > Quick search returns: > > https://github.com/freebsd/pkg/issues/1309 > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > > > I guess it is not hard to switch repo to fingerprints, however I > > would not expect to lose this functionality by updating to > > patchlevel. > > > Implemented in head: r287579 I will MFC it asap. And see if it cannot > be added asap to a next patchlevel update. > > Best regards, > BaptThanx! Just a few quick not-completely-related questions: poudriere has the ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external command, right? Is there a plan to support it? Can I build packages in poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with external command? Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupa? https://www.mimar.rs/
Baptiste Daroussin
2015-Sep-09 08:56 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupa? wrote:> On Tue, 8 Sep 2015 23:28:59 +0200 > Baptiste Daroussin <bapt at FreeBSD.org> wrote: > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa? wrote: > > > Hi, > > > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > > with signature_type="pubkey". > > > > > > Quick search returns: > > > https://github.com/freebsd/pkg/issues/1309 > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > > > > > I guess it is not hard to switch repo to fingerprints, however I > > > would not expect to lose this functionality by updating to > > > patchlevel. > > > > > Implemented in head: r287579 I will MFC it asap. And see if it cannot > > be added asap to a next patchlevel update. > > > > Best regards, > > Bapt > > Thanx! > > Just a few quick not-completely-related questions: poudriere has the > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > command, right? Is there a plan to support it? Can I build packages in > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > external command? >First yes I plan to add the ability to sign the package used to bootstrap via PKG_REPO_SIGNING_KEY asap in poudriere. Second you can keep your current configuration of poudriere, the signing with pubkey works perfectly well. All you need to do is either via a poudriere post bulk hook or manually go in the directory where your packages lives (in the Latest directory) and echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ -binary -out ./pkg.txz.pubkeysig Last if you want to do all the process manually: pkg repo /yourrepository /yourkey cd /yourrepositry/Latest echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /yourkey \ -binary -out ./pkg.txz.pubkeysig I will see if I can avoid the the extra command by merging the signing of the bootstrap bit directly into pkg repo, that would be more handy Best regards, Bapt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150909/092e1ad9/attachment.bin>
Bryan Drewery
2015-Sep-14 22:43 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
On 9/9/15 12:14 AM, Marko Cupa? wrote:> On Tue, 8 Sep 2015 23:28:59 +0200 > Baptiste Daroussin <bapt at FreeBSD.org> wrote: > >> On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa? wrote: >>> Hi, >>> >>> I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg >>> with signature_type="pubkey". >>> >>> Quick search returns: >>> https://github.com/freebsd/pkg/issues/1309 >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 >>> >>> I guess it is not hard to switch repo to fingerprints, however I >>> would not expect to lose this functionality by updating to >>> patchlevel. >>> >> Implemented in head: r287579 I will MFC it asap. And see if it cannot >> be added asap to a next patchlevel update. >> >> Best regards, >> Bapt > > Thanx! > > Just a few quick not-completely-related questions: poudriere has the > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > command, right?Poudriere already has SIGNING_COMMAND support for external command. It is used for the fingerprints signing on pkg.FreeBSD.org. What is lacking is signing pkg with the new format added in r287579 when using pubkey. I am adding it in now for the next release.>Is there a plan to support it? Can I build packages in> poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > external command? > > Regards, >-- Regards, Bryan Drewery