Re: Call for tests: pkg_install-renovation

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Sun, May 25, 2008 at 10:05:38PM +0100, Alistair Crooks wrote:
> On Sun, May 25, 2008 at 10:32:37PM +0200, Joerg Sonnenberger wrote:
> > On Sun, May 25, 2008 at 09:21:09PM +0100, Alistair Crooks wrote:
> > > Digitally signed binary packages, IIRC, are no longer handled in
> > > the same manner - perhaps you can describe how they are done now,
> > > please?
> > 
> > Sorry, yes. You prepare an OpenSSL certificate for it. pkg_install.conf
> > points to the certificate used for validation (see pkg_add(8).
> > pkg_admin sign-package is used to created them.
> 
> Ummm, right. Perhaps a bit more documentation on how to use
> them would be in order?

I would welcome any help in this area, my nroff-fu is still weak.
Basically, to create signed package for private use, run the CA.sh
script from OpenSSL first.

CERTIFICATE_ANCHOR_PKGS should point to .../newcerts/00.pem.

To sign a package, use
pkg_admin sign-package pkg.tgz signed/pkg.tgz \
        .../private/cakey.pem .../newcerts/00.pem

The signature check is enabled by setting VERIFIED_INSTALLATION
accordingly.

> > > Are there any other changes not mentioned here?
> > 
> > As discussed, the pkg_view and linkfarm script are no longer installed.
> > The @option preserve tag in PLISTs isn't supported.
> > Conflicts in the PLIST are checked before and installation in refused if
> > they happen. This depends on an up-to-date database (pkg_admin rebuild).
> 
> So now pkg_add/pkg_create relies on a valid and up-to-date binary database?

pkg_add does, yes. It will even more in the short term future when I am
adding a second database to speed-up @pkgdep and @pkgcfl handling, but
that's in the future. pkg_create doesn't as it would be too late at the
time it is running.

Joerg