tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Signature verification with netpgpverify
Hi,
We're looking to start signing our quarterly packages, but it annoyed
me that I had to include gpg and thus a bunch of other things in our
bootstrap kits which are supposed to be minimal, and that there was no
way to disable the horribly verbose output, i.e.:
$ pkg_add digest-20121220.tgz
gpg: Signature made Mon 2 Feb 16:16:27 2015 GMT using RSA key ID D532A578
gpg: Good signature from "Jonathan Perkin <jonathan%perkin.org.uk@localhost>"
gpg: aka "Jonathan Perkin <jperkin%pkgsrc.org@localhost>"
gpg: aka "Jonathan Perkin <jperkin%joyent.com@localhost>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 785C 44DA 3311 37B3 3B1F CA0B 215E 7BAF D532 A578
This quickly gets tedious when installing a lot of packages, and
trains users to ignore gpg output.
So I wrote a diff for pkg_install to instead use Al's netpgpverify
library to perform signature verification inline and with Unix-style
output (i.e. nothing unless there is an error).
$ vi /path/to/pkg_install.conf
VERIFIED_INSTALLATION=always
$ pkg_add digest-20121220.tgz
$ echo $?
0
Rebuild digest without SIGN_PACKAGES=gpg set.
$ pkg_add digest-20121220.tgz
pkg_add: No valid signature found, rejected
pkg_add: 1 package addition failed
$ echo $?
1
It also performs verification of the pkg-vulnerabilities file:
$ pkg_admin fetch-pkg-vulnerabilities
$ pkg_admin check-pkg-vulnerabilities -s /path/to/pkg-vulnerabilities
pkg_admin: unable to verify signature: Signature key id 0f03b7a97dbe3f8c not found
$ echo $?
1
$ gpg --recv-keys 7DBE3F8C
$ pkg_admin check-pkg-vulnerabilities -s /path/to/pkg-vulnerabilities
$ echo $?
0
The diff rips out verification via gpg_cmd and just uses netpgpverify
which cleans things up a bit. If there are valid reasons for keeping
support for external verification let me know, otherwise please
test/review this:
http://us-east.manta.joyent.com/pkgsrc/public/patches/pkgverify.diff
SunOS currently needs some additional diffs to get netpgpverify to
build, I'll work with agc to get these integrated separately.
Thanks,
--
Jonathan Perkin - Joyent, Inc. - www.joyent.com
Home |
Main Index |
Thread Index |
Old Index