tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Call for tests: pkg_install-renovation
On Sun, May 25, 2008 at 11:31:30PM +0200, Joerg Sonnenberger wrote:
> On Sun, May 25, 2008 at 10:05:38PM +0100, Alistair Crooks wrote:
> > On Sun, May 25, 2008 at 10:32:37PM +0200, Joerg Sonnenberger wrote:
> > > On Sun, May 25, 2008 at 09:21:09PM +0100, Alistair Crooks wrote:
> > > > Digitally signed binary packages, IIRC, are no longer handled in
> > > > the same manner - perhaps you can describe how they are done now,
> > > > please?
> > >
> > > Sorry, yes. You prepare an OpenSSL certificate for it. pkg_install.conf
> > > points to the certificate used for validation (see pkg_add(8).
> > > pkg_admin sign-package is used to created them.
> >
> > Ummm, right. Perhaps a bit more documentation on how to use
> > them would be in order?
>
> I would welcome any help in this area, my nroff-fu is still weak.
> Basically, to create signed package for private use, run the CA.sh
> script from OpenSSL first.
nroff-fu is not needed. Plain text will do. In my experiences in the
past with CA.sh, it is not immediately obvious what needs to be done
to create a CA, or even what a CA is. The openssl documentation
assumes intimate knowledhe of this area. You have obviously generated
a CA cert, and so your experience in helping others to use this would
be invaluable. WIthout it, people don't know what to do, and so your
modifications would go unused.
> CERTIFICATE_ANCHOR_PKGS should point to .../newcerts/00.pem.
>
> To sign a package, use
> pkg_admin sign-package pkg.tgz signed/pkg.tgz \
> .../private/cakey.pem .../newcerts/00.pem
>
> The signature check is enabled by setting VERIFIED_INSTALLATION
> accordingly.
At the danger of repeating myself, and since this area has changed
significantly from the previous way of doing things, you need to
explain (a) what a cakey.pem is, and where to get it. You also need
to explain what newcerts/00.pem is, and where to get one.
> > > > Are there any other changes not mentioned here?
> > >
> > > As discussed, the pkg_view and linkfarm script are no longer installed.
> > > The @option preserve tag in PLISTs isn't supported.
> > > Conflicts in the PLIST are checked before and installation in refused if
> > > they happen. This depends on an up-to-date database (pkg_admin rebuild).
> >
> > So now pkg_add/pkg_create relies on a valid and up-to-date binary database?
>
> pkg_add does, yes. It will even more in the short term future when I am
> adding a second database to speed-up @pkgdep and @pkgcfl handling, but
> that's in the future. pkg_create doesn't as it would be too late at the
> time it is running.
Hmm, interesting. I wasn't aware that you were going to tie us into this
way of doing things - mainly because I don't think it's a good idea.
Where was this change discussed?
Thanks,
Alistair
Home |
Main Index |
Thread Index |
Old Index