Subject: Re: little hacking project: bulk build checksums
To: None <tech-pkg@NetBSD.org>
From: Alistair Crooks <firstname.lastname@example.org>
Date: 01/23/2005 18:12:16
On Sun, Jan 23, 2005 at 12:04:19PM -0500, Jan Schaumann wrote:
> Alistair Crooks <email@example.com> wrote:
> > pkg_add(1) contains the following text:
> > -s verification-type
> > Use a callout to an external program to verify the binary package
> > being installed against an existing detached signature file. The
> > signature file must reside in the same directory as the binary
> > package. At the present time, the following verification types
> > are defined: none, gpg and pgp5.
> > To make a digital signature of a binary package is very simple:
> > % gpg -b <binary-package-name>
> > will make the detached signature file.
> Which, however, brings back the problem of not having a PGP tool in the
> base system. Our pkg tools should not rely on third-party software for
> the verification or creation of signatures.
The fact that gpg has a ghastly licence means that I implemented the
digital signatures (back in 2001) as a callout. I am not willing to
add gnupg to the base system (and there are others who have problems
with the trust model of gnupg).
> For that reason, I would probably tend more torwards the openssl
> approach, be it based on smime file signing or certificates. I would
> assume that it would be beneficial for the project to have a cert it
> could ship with in the base system.
I've been talking to the NetBSD security-officer team and some others
within the project about the best way to do this, and I'm not
convinced that openssl is the way to go - bootstrapping it, for
example, would be a PITA. In fact, the signature tool isn't the most
onerous thing right now - it's the CA policy. I am currently working
on this, and I hope that it will make the 3.0 cutoff date.
More as it happens...