[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: officially signed packages
-----BEGIN PGP SIGNED MESSAGE-----
Hi Fredrik, tech-pkg@,
On 06/04/2014 17:58, Fredrik Pettai wrote:
> On Jan 22, 2014, at 17:51 , Jeremy C. Reed <reed%reedmedia.net@localhost>
>> What do we need to do next to get officially signed packages?
>> I saw the thread at
Should we have some role account for GPG_SIGN_AS ?
I think that would be great. Some steps are probably necessary before
we can provide signed packages by default though.
>> p.s. Should this ticket be closed? http://gnats.netbsd.org/48194
Thanks for the heads-up, I have just closed it.
> I noted that khorben@ committed (the final?) updates to pkgsrc
> infrastructure, so it's time to resurrect this thread again.
> What's the next step(s)?
I'd say one important thing is the ability to verify package
signatures without relying on any package to be installed already. I
think that's possible for X509-based signatures. In the case of GPG
signatures though, installing security/gnupg is currently required -
and it obviously can't verify itself while installing.
Checking GPG signatures could however be done with netpgp(1) from
base. It doesn't work out of the box yet, but it shouldn't be much
work to achieve (?). Feel free to beat me to it in any case :)
Once this done I feel like it should be possible to let official
NetBSD releases default to signed binary packages, shipping the
release with the GPG public key pre-installed (possibly in a distinct
keyring), and then strictly checking the signatures by default. This
may be problematic on slow architectures though, this will require
testing on the slower models of each to ensure operations on packages
are still usable - when installing in particular.
On a related note, the file format for signed packages isn't
particularly great at the moment. It will probably make sense to
re-design it at some point, but to me this is not a blocker.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |