Signature verification with netpgpverify

To: tech-pkg%netbsd.org@localhost
Subject: Signature verification with netpgpverify
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Mon, 2 Feb 2015 16:41:12 +0000

Hi,

We're looking to start signing our quarterly packages, but it annoyed
me that I had to include gpg and thus a bunch of other things in our
bootstrap kits which are supposed to be minimal, and that there was no
way to disable the horribly verbose output, i.e.:

  $ pkg_add digest-20121220.tgz
  gpg: Signature made Mon  2 Feb 16:16:27 2015 GMT using RSA key ID D532A578
  gpg: Good signature from "Jonathan Perkin <jonathan%perkin.org.uk@localhost>"
  gpg:                 aka "Jonathan Perkin <jperkin%pkgsrc.org@localhost>"
  gpg:                 aka "Jonathan Perkin <jperkin%joyent.com@localhost>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 785C 44DA 3311 37B3 3B1F  CA0B 215E 7BAF D532 A578

This quickly gets tedious when installing a lot of packages, and
trains users to ignore gpg output.

So I wrote a diff for pkg_install to instead use Al's netpgpverify
library to perform signature verification inline and with Unix-style
output (i.e. nothing unless there is an error).

  $ vi /path/to/pkg_install.conf
  VERIFIED_INSTALLATION=always

  $ pkg_add digest-20121220.tgz
  $ echo $?
  0

 Rebuild digest without SIGN_PACKAGES=gpg set.

  $ pkg_add digest-20121220.tgz
  pkg_add: No valid signature found, rejected
  pkg_add: 1 package addition failed
  $ echo $?
  1

It also performs verification of the pkg-vulnerabilities file:

  $ pkg_admin fetch-pkg-vulnerabilities
  $ pkg_admin check-pkg-vulnerabilities -s /path/to/pkg-vulnerabilities
  pkg_admin: unable to verify signature: Signature key id 0f03b7a97dbe3f8c not found
  $ echo $?
  1

  $ gpg --recv-keys 7DBE3F8C
  $ pkg_admin check-pkg-vulnerabilities -s /path/to/pkg-vulnerabilities
  $ echo $?
  0

The diff rips out verification via gpg_cmd and just uses netpgpverify
which cleans things up a bit.  If there are valid reasons for keeping
support for external verification let me know, otherwise please
test/review this:

  http://us-east.manta.joyent.com/pkgsrc/public/patches/pkgverify.diff

SunOS currently needs some additional diffs to get netpgpverify to
build, I'll work with agc to get these integrated separately.

Thanks,

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

Follow-Ups:
- Re: Signature verification with netpgpverify
  - From: Jonathan Perkin

Prev by Date: daily pkgsrc CVS update output
Next by Date: daily pkgsrc CVS update output
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: Signature verification with netpgpverify
Indexes:

Home | Main Index | Thread Index | Old Index