tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Call for tests: pkg_install-renovation



On Sun, May 25, 2008 at 11:31:30PM +0200, Joerg Sonnenberger wrote:
> On Sun, May 25, 2008 at 10:05:38PM +0100, Alistair Crooks wrote:
> > On Sun, May 25, 2008 at 10:32:37PM +0200, Joerg Sonnenberger wrote:
> > > On Sun, May 25, 2008 at 09:21:09PM +0100, Alistair Crooks wrote:
> > > > Digitally signed binary packages, IIRC, are no longer handled in
> > > > the same manner - perhaps you can describe how they are done now,
> > > > please?
> > > 
> > > Sorry, yes. You prepare an OpenSSL certificate for it. pkg_install.conf
> > > points to the certificate used for validation (see pkg_add(8).
> > > pkg_admin sign-package is used to created them.
> > 
> > Ummm, right. Perhaps a bit more documentation on how to use
> > them would be in order?
> 
> I would welcome any help in this area, my nroff-fu is still weak.
> Basically, to create signed package for private use, run the CA.sh
> script from OpenSSL first.

nroff-fu is not needed.  Plain text will do.  In my experiences in the
past with CA.sh, it is not immediately obvious what needs to be done
to create a CA, or even what a CA is.  The openssl documentation
assumes intimate knowledhe of this area.  You have obviously generated
a CA cert, and so your experience in helping others to use this would
be invaluable.  WIthout it, people don't know what to do, and so your
modifications would go unused.
 
> CERTIFICATE_ANCHOR_PKGS should point to .../newcerts/00.pem.
> 
> To sign a package, use
> pkg_admin sign-package pkg.tgz signed/pkg.tgz \
>       .../private/cakey.pem .../newcerts/00.pem
> 
> The signature check is enabled by setting VERIFIED_INSTALLATION
> accordingly.

At the danger of repeating myself, and since this area has changed
significantly from the previous way of doing things, you need to
explain (a) what a cakey.pem is, and where to get it. You also need
to explain what newcerts/00.pem is, and where to get one.
 
> > > > Are there any other changes not mentioned here?
> > > 
> > > As discussed, the pkg_view and linkfarm script are no longer installed.
> > > The @option preserve tag in PLISTs isn't supported.
> > > Conflicts in the PLIST are checked before and installation in refused if
> > > they happen. This depends on an up-to-date database (pkg_admin rebuild).
> > 
> > So now pkg_add/pkg_create relies on a valid and up-to-date binary database?
> 
> pkg_add does, yes. It will even more in the short term future when I am
> adding a second database to speed-up @pkgdep and @pkgcfl handling, but
> that's in the future. pkg_create doesn't as it would be too late at the
> time it is running.

Hmm, interesting. I wasn't aware that you were going to tie us into this
way of doing things - mainly because I don't think it's a good idea.

Where was this change discussed?

Thanks,
Alistair


Home | Main Index | Thread Index | Old Index