Subject: Re: little hacking project: bulk build checksums
To: Hubert Feyrer <email@example.com>
From: Alistair Crooks <firstname.lastname@example.org>
Date: 01/23/2005 16:42:57
On Sun, Jan 23, 2005 at 03:56:35AM +0100, Hubert Feyrer wrote:
> On Sun, 23 Jan 2005, grant beattie wrote:
> >we have the ability to cryptographically sign binary packages, which
> >can be automatically verified by pkg_add.
> I hear that myth on and off, but never found any documentation, usage
> examples etc. on it. Can you tell us more about it?
You should have come to the portable packaging system talk at
EuroBSDCon 2004 in Karlsruhe, where I explained about using digital
signatures in pkg_add.
The NetBSD Update talk from Usenix 2004 in Boston, which was
referenced from your blog, includes a screenshot showing an addition
of a digitally-signed package.
pkg_add(1) contains the following text:
Use a callout to an external program to verify the binary package
being installed against an existing detached signature file. The
signature file must reside in the same directory as the binary
package. At the present time, the following verification types
are defined: none, gpg and pgp5. The signature will be verified
at install time, and the results will be displayed. If the sig-
nature type is anything other than none, the user will be asked
if pkg_add should proceed to install the binary package. The
user must then take the decision whether to proceed or not,
depending upon the amount of trust that is placed in the signa-
tory of the binary package. Please note that, at the current
time, it is not possible to use the verification feature when
using pkg_add to add a binary package via a URL - the package,
and the related detached signature file, must be local for the
verification to work.
To make a digital signature of a binary package is very simple:
% gpg -b <binary-package-name>
will make the detached signature file.
The following is an example of (a) signing a binary package, and then
(b) the addition of that digitally-signed binary package.
[16:39:34] agc@sys3 ~ 25 > gpg -b zsh-4.2.1.tgz
You need a passphrase to unlock the secret key for
user: "Alistair Crooks <email@example.com>"
2048-bit RSA key, ID C0596823, created 2004-01-12
[16:39:52] agc@sys3 ~ 26 > ls -al zsh*
-rw-r--r-- 1 agc agc 1614194 Jan 23 16:34 zsh-4.2.1.tgz
-rw-r--r-- 1 agc agc 280 Jan 23 16:39 zsh-4.2.1.tgz.sig
[16:40:00] agc@sys3 ~ 27 > priv pkg_add -s gpg zsh-4.2.1.tgz
pkg_add: Using signature file: /home/agc/./zsh-4.2.1.tgz.sig
gpg: Signature made Sun Jan 23 16:39:51 2005 GMT using RSA key ID C0596823
gpg: Good signature from "Alistair Crooks <firstname.lastname@example.org>"
gpg: aka "Alistair Crooks <email@example.com>"
gpg: aka "Alistair Crooks <firstname.lastname@example.org>"
gpg: aka "Alistair Crooks <email@example.com>"
Proceed with addition of /home/agc/./zsh-4.2.1.tgz: [y/n]? y
Executing '/bin/mkdir -p /usr/pkg/share/zsh/site-functions'
===> Updating /etc/shells
$NetBSD: MESSAGE,v 1.1 2001/10/31 22:27:02 zuntum Exp $
`/usr/pkg/share/doc/zsh/NEWS' contains a summary of important changes
for this version of zsh.
Note that the completion system can now be setup and configured using
the "compinstall" function. Please read the zshcompsys(1) manual page
for information on how this works.
[16:40:34] agc@sys3 ~ 28 >