Re: Obstacles to get signed binary pkgs

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2020-01-31 at 09:02 GMT, Martin Husemann wrote:

> First the obvious question: can netgpp(1) be used by pkg_* to verify
> binary pkgs? If so, what setup is needed? If not: could that please be
> added?

I implemented inline netpgp signing over 4 years ago:

  https://github.com/NetBSD/pkgsrc/commit/8c5aa18a9ab3d3c97d0638c9e75278e97b63fa5d

I don't know what versions of NetBSD have this, though.

> Second question: assuming I start from scratch, how do I verify the first
> binary pkg I install (which likely will be gpg, so I can verify pkgs)?

This isn't needed as per the above.

> Now on the other side: assuming I do bulk pkg builds with pbulk, what do
> I need to setup to get binary pkgs signed? Where is a step-by-step 
> documentation? Are there any administrative things that TNF needs to
> decide or provide?

I've documented this for our users here:

  https://github.com/joyent/pkgsrc/wiki/pkgdev:signing

though some of that is specific to the pkgbuild infrastructure I've
built around pkgsrc.  The basic overview from scratch though is:

  * Generate a PGP key.  Set GPG_SIGN_AS to the keyid in
    pkg_install.conf.

  * Install gnupg somewhere.  Set GPG to the path to gpg2 in
    pkg_install.conf.

  * Run an agent (I know some in NetBSD are going to immediately balk
    at this, but if you're not going to use an agent then you get to
    do the hard (and some might say pointless) work of figuring out
    how to avoid it), configure gpg to use it, and cache the password.

  * Export the public key somewhere, and point GPG_KEYRING_VERIFY at
    it in pkg_install.conf.

  * Build your packages.

  * Distribute your public key with GPG_KEYRING_VERIFY configured to
    wherever it is installed, and set VERIFIED_INSTALLATION=always to
    force package verification if required.

The scripts I use to do all this are:

  https://github.com/joyent/pkgbuild/blob/master/scripts/mk-pbulk-bootstrap
  https://github.com/joyent/pkgbuild/blob/master/scripts/mk-release-bootstrap

The first is what is used by the build hosts to bulk build everything
and sign the packages, and the second generates the kits that are
distributed to end-users.  They're not the easiest to read with all
the variables in use, but they're used to produce signed bootstrap
packages across all the OS I build for.

The bootstrap kits are themselves then signed with the same key, and
published for users to download and optionally verify here:

  https://pkgsrc.joyent.com/install-on-illumos/
  https://pkgsrc.joyent.com/install-on-osx/
  https://pkgsrc.joyent.com/install-on-linux/

> And the answer I personally was looking for when I started asking around
> recently: what would need to be added to base system installers (like
> public keys...) and/or what changes would sysinst need to make this
> easy for a new installation?

These are the questions I can't answer.  NetBSD is going to be
different to all the other OS that have package signing enabled, as
you ship pkg_install with the OS.  For us it's easy, we distribute the
pkg_install bootstrap kit bundled with all the bits necessary for
verifying its signed packages.

As an added bonus we also include the pkgsrc-security key so that the
vulnerabilities file can be verified out of the box, and distribute
this as a package so that it can be updated whenever the key changes.
This is configured with GPG_KEYRING_PKGVULN in pkg_install.conf.

Hope that helps.  I may have glossed over some details, let me know if
anything needs further explanation.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com