Creating signed binary packages with pkgsrc

To: pkgsrc-users <pkgsrc-users%netbsd.org@localhost>
Subject: Creating signed binary packages with pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Fri, 30 Aug 2013 02:14:46 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hi everyone,

I am currently investigating providing signed binary packages for
NetBSD through the EdgeBSD platform, and glad to say that this is
currently on a good track.

The following patch allows me to do so, at least with GPG:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9
(attached here too)

Quick howto:

add this to mk.conf:
SIGN_PACKAGES=gpg

or for X509:
SIGN_PACKAGES=x509
X509_KEY=/path/to/the/key
X509_CERTIFICATE=/path/to/the/certificate

add this to pkg_install.conf:
GPG=/path/to/bin/gpg
GPG_SIGN_AS=your-user-id
VERIFIED_INSTALLATIONS=always

With these set and the patch applied, packages should be signed
automatically, eg:
$ bmake package
[...]
/home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
gpg-sign-package
/home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
/home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz

You need a passphrase to unlock the secret key for
user: "EdgeBSD Packages <root%edgebsd.org@localhost>"
4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29

...and then the package can be installed as expected.

I am still working on checking that the packages are properly verified.

HTH,
- -- 
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (NetBSD)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJSH+P1AAoJEDA4y9uYhpcDXQsP/RYqmFiY8VDziY3yn/YFz/9l
Seshtt1cZg7I+M3qx6axsOEwJRfOpKEwQpvKd5vV1M7veL+2sCW4YX5+CkxByRKf
GF1Nrwgo6UrA5QiB4qZZ8Jgr1/D3QKEx0DkrfdwwH+MRYJh1BOypop3ImQixRzNV
nSKq9fsac1H7I5883IRdr9+LcnzaGfd6xNnUIZ3Y1cr90v336teW/6BwBUFpGfrh
4tiHxpdsB6mbFHQdKEJuuM4Dny5jA3/1KsB+ZhhQkVA2ZZjmRkSEX0jgifuXkLLb
WwIvhs9T03JqYR2S9WtWe6rZ8GEyRu/bOZqf+d/M93dcG65r+obc5IVwNWXiT8wD
0Yx9mOHAzhO4jpbOZ0GfINluqtD0E+xvqbSzAHyHFoaZbgy8EHGS4R9hniprJ2Iv
1UFuqhP7U2H+vx5lGmOG3qglx2hlpu14+mSf1bvFWBHHB6E1PBFelUMxm8nCn/m7
tSHl74IhtzWBSMxyDJqoasZgs1BzGh5P8lW73KcBGNs2oN7leizDhY14cCG4LEKp
+Axh/wPWw+AooR1QC2QRbtlP9iBcty7HrzMk/hgHeHBRJGAqMao/Z8WIEADVuIzZ
MTH4/JrFgrfGYMd5wuXjvv0++fsQdczpYAUFkGu8nl862j7I2EKCYXAZ+Bd5avti
KjUMW81FobHyewjAuxvZ
=VtCT
-----END PGP SIGNATURE-----

From b2ad0ec7e434d221d92218c52b18558a825f5ec9 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 30 Aug 2013 01:26:23 +0200
Subject: [PATCH] Added support for creating signed binary packages directly

---
 mk/defaults/mk.conf         |   15 +++++++++++++++
 mk/pkgformat/pkg/package.mk |   12 ++++++++++++
 2 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 46b89a2..86e4f06 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -60,6 +60,21 @@ GZIP?=       -9
 # Possible: not defined, no
 # Default: yes
 
+#SIGN_PACKAGES=
+# sign the packages generated (when supported) with the method specified.
+# Possible: gpg, x509, not defined
+# Default: not defined
+
+#X509_KEY=
+# key to use when signing packages with an X509 certificate.
+# Possible: pathname to the key file, not defined
+# Default: not defined
+
+#X509_CERTIFICATE=
+# certificate to use when signing packages with an X509 certificate.
+# Possible: pathname to the X509 certificate, not defined
+# Default: not defined
+
 #OBJHOSTNAME=
 # use hostname-specific object directories, e.g.  work.amnesiac, work.localhost
 # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
index bfbfe57..3a0175b 100644
--- a/mk/pkgformat/pkg/package.mk
+++ b/mk/pkgformat/pkg/package.mk
@@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
        fi
 
 .if ${_USE_DESTDIR} != "no"
+.if !empty(SIGN_PACKAGES:Mgpg)
+${PKGFILE}: ${STAGE_PKGFILE}
+       ${RUN} ${MKDIR} ${.TARGET:H}
+       @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+       ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
+.elif !empty(SIGN_PACKAGES:Mx509)
+${PKGFILE}: ${STAGE_PKGFILE}
+       ${RUN} ${MKDIR} ${.TARGET:H}
+       @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+       ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} 
${X509_CERTIFICATE}
+.else
 ${PKGFILE}: ${STAGE_PKGFILE}
        ${RUN} ${MKDIR} ${.TARGET:H}
        @${STEP_MSG} "Creating binary package ${.TARGET}"
        ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
                ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
 .endif
+.endif
 
 ######################################################################
 ### package-remove (PRIVATE)
-- 
1.7.2.5

Follow-Ups:
- Re: Creating signed binary packages with pkgsrc
  - From: Alistair Crooks

Prev by Date: Re: package name for x11/xf86-video-ati6
Next by Date: Re: Creating signed binary packages with pkgsrc
Previous by Thread: Re: Modular Xorg in pkgsrc, was Mouse pointer in pkgsrc xorg half-crippled
Next by Thread: Re: Creating signed binary packages with pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index