[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Obstacles to get signed binary pkgs
On Fri, Jan 31, 2020 at 09:46:04AM +0000, Jonathan Perkin wrote:
Thanks a lot, very helpful! Skipping the technical details for now...
> These are the questions I can't answer. NetBSD is going to be
> different to all the other OS that have package signing enabled, as
> you ship pkg_install with the OS. For us it's easy, we distribute the
> pkg_install bootstrap kit bundled with all the bits necessary for
> verifying its signed packages.
> As an added bonus we also include the pkgsrc-security key so that the
> vulnerabilities file can be verified out of the box, and distribute
> this as a package so that it can be updated whenever the key changes.
> This is configured with GPG_KEYRING_PKGVULN in pkg_install.conf.
Is the following a practical aproach?
- We add the NetBSD security officer public key (as of the time a release
is generated) to our (base system) distribution, e.g. as part of the
- We assume that binaries to a each individual pkg repository (i.e. ftp
server directory) are build by a single build environment. Each gets
a signing key (not necessarily unique) and the public key of that
is stored at the root of the pkg repository, and officially
signed by the NetBSD security officer. The pkgsrc-security key
with same handling too.
- We can switch keys any time we start a pkg build from scratch. Or the
other way around: if we need to switch keys, all pkgs need to be
Not quite sure yet how to most easily make the initial install available
and self-verified, but whether it is pkgin, a script, or some special
functionality in sysinst can be discussed later.
Would that work? Did I overlook something?
Main Index |
Thread Index |