tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Handling GPG signatures for pkgsrc with netpgp



Sorry, thought I'd already given the go-ahead to commit your changes; I certainly don't want to be a roadblock in these kind of things.

Incidentally, you may want to update your cert on edgebsd - chrome tells me "NET::ERR_CERT_AUTHORITY_INVALID" for git.edgebsd.org

Best,
Alistair



On 2 February 2017 at 14:35, Pierre Pronchery <khorben%defora.org@localhost> wrote:
                        Hi tech-pkg@,

I would like to mention that I have made good progress in the context of handling GPG signatures for pkgsrc with netpgp instead of GnuPG, and I am now able to use netpgp to both generate and verify signed binary packages from pkgsrc! Some bugs are still lurking, but this is a start.

It currently requires applying the packages attached, and setting the gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:
GPG=/usr/local/bin/gpg2netpgp

There is a security issue with this setup - without being a regression though. Long story short, it is possible to fool netpgp into reporting what looks like a detached signature as being successfully verified, whereas it will look at content within the signature instead of the file to verify. I have no patch to fix this yet.

I sent these patches to agc@ and security-officer@ for review back on October 10th when I had more time to work on this, but I need to carry on so I am posting it here. As usual clones of my work repositories can be found there:
https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary

Being cryptography software and not my own code in the first place, I will appreciate a green light before committing any of these. This is quite exciting though, as save for a few issues remaining, it is no longer necessary to bootstrap GnuPG to import keys or support signed packages :)

Cheers,
-- khorben

On 05/10/2016 01:57, Pierre Pronchery wrote:
I thought you might want to know, I have managed to create GPG-signed
binary packages with pkgsrc, using netpgp alone (and without any
additional patch) thanks to the wrapper attached. It only requires
setting GPG=gpg2netpgp in pkg_install.conf.

By the way, I am writing to you directly assuming you are the official
maintainer for netpgp; please let me know if there is a different
upstream nowadays.

Cheers!
-- khorben

On 08/09/2016 17:57, Pierre Pronchery wrote:
On 09/ 8/16 09:24 AM, Alistair Crooks wrote:
Thanks for your mail and patch.

I'll have a look at this one tomorrow, it's a bit late tonight.

I have found another crash, if netpgpkeys fails to import a key while
the keyring is still empty:

$ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
netpgp: warning homedir "/tmp/nonexistent" not found
/tmp/nonexistent/pubring.gpg: No such file or directory
Can't read pubring /tmp/nonexistent/pubring.gpg
Can't read pub keyring
Segmentation fault

The patch attached fixes this issue.

HTH,
-- khorben

On 7 September 2016 at 08:48, Pierre Pronchery <khorben%defora.org@localhost
<mailto:khorben%defora.org@localhost>> wrote:

                            Hi Alistair,

    I hope you are doing good. I have encountered this bug in NetPGP:

    $ netpgpkeys --import-key
    Segmentation fault

    In this case, I would expect netpgpkeys to either bail, or read keys
    from the standard input. I have written a patch for the latter,
    which I am attaching here.

    Let me know what you think.

    Cheers,

--
khorben



Home | Main Index | Thread Index | Old Index