tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: 2013Q3 freeze pre-announcement



                        Hi,

On 11/09/2013 08:35, Thomas Klausner wrote:
> On Wed, Sep 11, 2013 at 01:16:53AM +0200, Pierre Pronchery wrote:
>> Would this be the place to discuss building signed binaries for this
>> coming release? (or for the following one)
> 
> What needs to change for that -- is there infrastructure support
> needed or is it just configuration changes on the bulk build hosts?
>  Thomas

The first part is only configuration changes:
- in mk.conf "SIGN_PACKAGES=" set to "gpg" or "x509", possibly also
  "X509_KEY" and "X509_CERTIFICATE" for X509-based signatures;
  (needs my pkgsrc patch that hasn't received a green flag yet)
- in pkg_install.conf(5) "GPG" and "GPG_SIGN_AS" must be set (for
  "gpg"), possibly also "VERIFIED_INSTALLATION".

See also pkg_admin(1) for more information about signing with "gpg".

When signing with "gpg", it requires an implementation (probably
security/gnupg) to be installed and available. This may be problematic
for bulk builds, because this binary would then need to be bootstrapped
first in some way - without signing its package obviously.

Alternatively, it should be possible with little effort to use netpgp(1)
from base to achieve the same thing (in the context of NetBSD at least).

One more important thing: pkg_install requires the patch that I applied
this week to be able to extract and install signed packages reliably -
which required version should then probably be bumped first thing.

HTH,
-- 
khorben



Home | Main Index | Thread Index | Old Index