Re: Creating signed binary packages with pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

                        Hey,

On 30/08/2013 03:03, Alistair Crooks wrote:
> 
> Some random thoughts:
> [...]
> 
> 5.  What do you do if you have a package which isn't signed?  Should
> pkg_add warn, and add it; should it warn, and not add it; should it
> fail visibly; should it not care?  Policy decisions, decisions,
> decisions (a problem seen in production in a previous life)...

First, pkg_install.conf has the VERIFIED_INSTALLATION variable, which
can be set to "never", "always", "trusted" (interactive when not
verified) or "interactive" (always asking).

Then, true enough, it seems that the current behavior is "the package is
trusted if the key is known and the signature is good". That's certainly
not satisfying, because "I trust this key to be originating from this
person" does not mean "I trust whichever packages from this person". The
GPG_KEYRING_VERIFY variable can be (ab)used to emulate this though.

> Oh, and GPG is just one (GPLed) implementation of PGP, RFC 4880. I'd
> hate to think we put the wrong acronym into any definition.

If pkg_admin gets code specific for, say, netpgp, then SIGN_PACKAGES
could be set to netpgp. If netpgp is command-line compatible with gpg
(is it?), then it can be kept to "gpg" and GPG (path to gpg) can be set
to "/usr/bin/netpgp" instead.

It's not the kind of thing that's easy to get right the first time
without a good crystal ball :)

Cheers,
-- khorben

> On Fri, Aug 30, 2013 at 02:14:46AM +0200, Pierre Pronchery wrote:
>                       Hi everyone,
> 
> I am currently investigating providing signed binary packages for
> NetBSD through the EdgeBSD platform, and glad to say that this is
> currently on a good track.
> 
> The following patch allows me to do so, at least with GPG:
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=patch;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9
> (attached here too)
> 
> Quick howto:
> 
> add this to mk.conf:
> SIGN_PACKAGES=gpg
> 
> or for X509:
> SIGN_PACKAGES=x509
> X509_KEY=/path/to/the/key
> X509_CERTIFICATE=/path/to/the/certificate
> 
> add this to pkg_install.conf:
> GPG=/path/to/bin/gpg
> GPG_SIGN_AS=your-user-id
> VERIFIED_INSTALLATIONS=always
> 
> With these set and the patch applied, packages should be signed
> automatically, eg:
> $ bmake package
> [...]
> /home/pkgsrc/pkg/sbin/pkg_admin -K /home/pkgsrc/pkg/var/db/pkg
> gpg-sign-package
> /home/pkgsrc/work/wrk/devel/deforaos-libsystem/work/.packages/deforaos-libsystem-0.1.5nb1.tgz
> /home/pkgsrc/packages/All/deforaos-libsystem-0.1.5nb1.tgz
> 
> You need a passphrase to unlock the secret key for
> user: "EdgeBSD Packages <root%edgebsd.org@localhost>"
> 4096-bit RSA key, ID 6F3AF5E2, created 2013-08-29
> 
> ...and then the package can be installed as expected.
> 
> I am still working on checking that the packages are properly verified.
> 
> HTH,
> 
>> >From b2ad0ec7e434d221d92218c52b18558a825f5ec9 Mon Sep 17 00:00:00 2001
>> From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
>> Date: Fri, 30 Aug 2013 01:26:23 +0200
>> Subject: [PATCH] Added support for creating signed binary packages directly
>>
>> ---
>>  mk/defaults/mk.conf         |   15 +++++++++++++++
>>  mk/pkgformat/pkg/package.mk |   12 ++++++++++++
>>  2 files changed, 27 insertions(+), 0 deletions(-)
>>
>> diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
>> index 46b89a2..86e4f06 100644
>> --- a/mk/defaults/mk.conf
>> +++ b/mk/defaults/mk.conf
>> @@ -60,6 +60,21 @@ GZIP?=    -9
>>  # Possible: not defined, no
>>  # Default: yes
>>  
>> +#SIGN_PACKAGES=
>> +# sign the packages generated (when supported) with the method specified.
>> +# Possible: gpg, x509, not defined
>> +# Default: not defined
>> +
>> +#X509_KEY=
>> +# key to use when signing packages with an X509 certificate.
>> +# Possible: pathname to the key file, not defined
>> +# Default: not defined
>> +
>> +#X509_CERTIFICATE=
>> +# certificate to use when signing packages with an X509 certificate.
>> +# Possible: pathname to the X509 certificate, not defined
>> +# Default: not defined
>> +
>>  #OBJHOSTNAME=
>>  # use hostname-specific object directories, e.g.  work.amnesiac, 
>> work.localhost
>>  # OBJHOSTNAME takes precedence over OBJMACHINE (see below).
>> diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
>> index bfbfe57..3a0175b 100644
>> --- a/mk/pkgformat/pkg/package.mk
>> +++ b/mk/pkgformat/pkg/package.mk
>> @@ -77,12 +77,24 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
>>      fi
>>  
>>  .if ${_USE_DESTDIR} != "no"
>> +.if !empty(SIGN_PACKAGES:Mgpg)
>> +${PKGFILE}: ${STAGE_PKGFILE}
>> +    ${RUN} ${MKDIR} ${.TARGET:H}
>> +    @${STEP_MSG} "Creating signed binary package ${.TARGET}"
>> +    ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
>> +.elif !empty(SIGN_PACKAGES:Mx509)
>> +${PKGFILE}: ${STAGE_PKGFILE}
>> +    ${RUN} ${MKDIR} ${.TARGET:H}
>> +    @${STEP_MSG} "Creating signed binary package ${.TARGET}"
>> +    ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} ${X509_KEY} 
>> ${X509_CERTIFICATE}
>> +.else
>>  ${PKGFILE}: ${STAGE_PKGFILE}
>>      ${RUN} ${MKDIR} ${.TARGET:H}
>>      @${STEP_MSG} "Creating binary package ${.TARGET}"
>>      ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
>>              ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
>>  .endif
>> +.endif
>>  
>>  ######################################################################
>>  ### package-remove (PRIVATE)
>> -- 
>> 1.7.2.5
>>

-- 
khorben