Re: Creating signed binary packages with pkgsrc

To: Pierre Pronchery <khorben%defora.org@localhost>
Subject: Re: Creating signed binary packages with pkgsrc
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Fri, 30 Aug 2013 03:03:38 +0200

Nice work!

Some random thoughts:

1. the old pkg_add had signed package support via pkg_add -S pkg...
It was added in 2001.  Whilst I think that pkg_add is the right place
to put verification, it was done through a callout to gpg. Joerg tells
me there's still support in pkg_add for gpg --detach-sign, though, and 
unfortunately netpgp's --detach is the corresponding argument.

2. pkg_admin has done pgp and x.509 sigs since 2007 or 2008.

3. if you're doing verification of any signed packages, take a look
at pkgsrc/security/libnetpgpverify. It has zero dependencies, and is
fairly small in size. That's why I added it.

4. For your signing, signing in-line may not be the best way to do it.
I can think of numerous bulk build setups which would build the packages
first, and then have the packages signed in bulk at the end. The alternative
is passphrase-less keys, again not good.

5.  What do you do if you have a package which isn't signed?  Should
pkg_add warn, and add it; should it warn, and not add it; should it
fail visibly; should it not care?  Policy decisions, decisions,
decisions (a problem seen in production in a previous life)...

Oh, and GPG is just one (GPLed) implementation of PGP, RFC 4880. I'd
hate to think we put the wrong acronym into any definition.

When I did the signing support originally, though, signing the package
was the least onerous part of the work. The main part is getting buy-in
from everyone to sign packages, and for widespread adoption. I do think
the situation has changed in 12 years, though.

Best,
Alistair

On Fri, Aug 30, 2013 at 02:14:46AM +0200, Pierre Pronchery wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>                       Hi everyone,
> 
> I am currently investigating providing signed binary packages for
> NetBSD through the EdgeBSD platform, and glad to say that this is
> currently on a good track.
> 
> The following patch allows me to do so, at least with GPG:
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9
> (attached here too)
> 
> Quick howto:
> 
> add this to mk.conf:
> SIGN_PACKAGES=gpg
> 
> or for X509:
> SIGN_PACKAGES=x509
> X509_KEY=/path/to/the/key
> X509_CERTIFICATE=/path/to/the/certificate
> 
> add this to pkg_install.conf:
> GPG=/path/to/bin/gpg
> GPG_SIGN_AS=your-user-id
> VERIFIED_INSTALLATIONS=always
> 
> With these set and the patch applied, packages should be signed
> automatically, eg:
> $ bmake package
> [...]
> /home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
> gpg-sign-package
> /home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
> /home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz
> 
> You need a passphrase to unlock the secret key for
> user: "EdgeBSD Packages <root%edgebsd.org@localhost>"
> 4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29
> 
> ...and then the package can be installed as expected.
> 
> I am still working on checking that the packages are properly verified.
> 
> HTH,
> - -- 
> khorben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (NetBSD)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJSH+P1AAoJEDA4y9uYhpcDXQsP/RYqmFiY8VDziY3yn/YFz/9l
> Seshtt1cZg7I+M3qx6axsOEwJRfOpKEwQpvKd5vV1M7veL+2sCW4YX5+CkxByRKf
> GF1Nrwgo6UrA5QiB4qZZ8Jgr1/D3QKEx0DkrfdwwH+MRYJh1BOypop3ImQixRzNV
> nSKq9fsac1H7I5883IRdr9+LcnzaGfd6xNnUIZ3Y1cr90v336teW/6BwBUFpGfrh
> 4tiHxpdsB6mbFHQdKEJuuM4Dny5jA3/1KsB+ZhhQkVA2ZZjmRkSEX0jgifuXkLLb
> WwIvhs9T03JqYR2S9WtWe6rZ8GEyRu/bOZqf+d/M93dcG65r+obc5IVwNWXiT8wD
> 0Yx9mOHAzhO4jpbOZ0GfINluqtD0E+xvqbSzAHyHFoaZbgy8EHGS4R9hniprJ2Iv
> 1UFuqhP7U2H+vx5lGmOG3qglx2hlpu14+mSf1bvFWBHHB6E1PBFelUMxm8nCn/m7
> tSHl74IhtzWBSMxyDJqoasZgs1BzGh5P8lW73KcBGNs2oN7leizDhY14cCG4LEKp
> +Axh/wPWw+AooR1QC2QRbtlP9iBcty7HrzMk/hgHeHBRJGAqMao/Z8WIEADVuIzZ
> MTH4/JrFgrfGYMd5wuXjvv0++fsQdczpYAUFkGu8nl862j7I2EKCYXAZ+Bd5avti
> KjUMW81FobHyewjAuxvZ
> =VtCT
> -----END PGP SIGNATURE-----

> >From b2ad0ec7e434d221d92218c52b18558a825f5ec9 Mon Sep 17 00:00:00 2001
> From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
> Date: Fri, 30 Aug 2013 01:26:23 +0200
> Subject: [PATCH] Added support for creating signed binary packages directly
> 
> ---
>  mk/defaults/mk.conf         |   15 +++++++++++++++
>  mk/pkgformat/pkg/package.mk |   12 ++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)
> 
> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
> index 46b89a2..86e4f06 100644
> --- a/mk/defaults/mk.conf
> +++ b/mk/defaults/mk.conf
> @@ -60,6 +60,21 @@ GZIP?=     -9
>  # Possible: not defined, no
>  # Default: yes
>  
> +#SIGN_PACKAGES=
> +# sign the packages generated (when supported) with the method specified.
> +# Possible: gpg, x509, not defined
> +# Default: not defined
> +
> +#X509_KEY=
> +# key to use when signing packages with an X509 certificate.
> +# Possible: pathname to the key file, not defined
> +# Default: not defined
> +
> +#X509_CERTIFICATE=
> +# certificate to use when signing packages with an X509 certificate.
> +# Possible: pathname to the X509 certificate, not defined
> +# Default: not defined
> +
>  #OBJHOSTNAME=
>  # use hostname-specific object directories, e.g.  work.amnesiac, 
> work.localhost
>  # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
> index bfbfe57..3a0175b 100644
> --- a/mk/pkgformat/pkg/package.mk
> +++ b/mk/pkgformat/pkg/package.mk
> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
>       fi
>  
>  .if ${_USE_DESTDIR} != "no"
> +.if !empty(SIGN_PACKAGES:Mgpg)
> +${PKGFILE}: ${STAGE_PKGFILE}
> +     ${RUN} ${MKDIR} ${.TARGET:H}
> +     @${STEP_MSG} "Creating signed binary package ${.TARGET}"
> +     ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
> +.elif !empty(SIGN_PACKAGES:Mx509)
> +${PKGFILE}: ${STAGE_PKGFILE}
> +     ${RUN} ${MKDIR} ${.TARGET:H}
> +     @${STEP_MSG} "Creating signed binary package ${.TARGET}"
> +     ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} 
> ${X509_CERTIFICATE}
> +.else
>  ${PKGFILE}: ${STAGE_PKGFILE}
>       ${RUN} ${MKDIR} ${.TARGET:H}
>       @${STEP_MSG} "Creating binary package ${.TARGET}"
>       ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
>               ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
>  .endif
> +.endif
>  
>  ######################################################################
>  ### package-remove (PRIVATE)
> -- 
> 1.7.2.5
>

Follow-Ups:
- Re: Creating signed binary packages with pkgsrc
  - From: Pierre Pronchery
- Re: Creating signed binary packages with pkgsrc
  - From: Pierre Pronchery

References:
- Creating signed binary packages with pkgsrc
  - From: Pierre Pronchery

Prev by Date: Creating signed binary packages with pkgsrc
Next by Date: Re: Creating signed binary packages with pkgsrc
Previous by Thread: Creating signed binary packages with pkgsrc
Next by Thread: Re: Creating signed binary packages with pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index