On Fri, Jan 31, 2020 at 09:46:04AM +0000, Jonathan Perkin wrote:
Thanks a lot, very helpful! Skipping the technical details for now...
> These are the questions I can't answer. NetBSD is going to be
> different to all the other OS that have package signing enabled, as
> you ship pkg_install with the OS. For us it's easy, we distribute the
> pkg_install bootstrap kit bundled with all the bits necessary for
> verifying its signed packages.
> As an added bonus we also include the pkgsrc-security key so that the
> vulnerabilities file can be verified out of the box, and distribute
> this as a package so that it can be updated whenever the key changes.
> This is configured with GPG_KEYRING_PKGVULN in pkg_install.conf.
Is the following a practical aproach?
- We add the NetBSD security officer public key (as of the time a release
is generated) to our (base system) distribution, e.g. as part of the
Let's add the pkgsrc-security pub key, as well as the NetBSD one - validity of pkgsrc-security is one year, and it has both signing and encryption keys on there, so I think it's a better fit. It's also probably the more correct in terms of roles :)
Alternatively, we should cut a new key, solely for signing of releases. As Jonathan notes later on, validity across releases is a necessary item.
- We assume that binaries to a each individual pkg repository (i.e. ftp
server directory) are build by a single build environment. Each gets
a signing key (not necessarily unique) and the public key of that
is stored at the root of the pkg repository, and officially
signed by the NetBSD security officer. The pkgsrc-security key
with same handling too.
- We can switch keys any time we start a pkg build from scratch. Or the
other way around: if we need to switch keys, all pkgs need to be
Not quite sure yet how to most easily make the initial install available
and self-verified, but whether it is pkgin, a script, or some special
functionality in sysinst can be discussed later.
Would that work? Did I overlook something?
I've also got some code that should hit a tree RSN that will use another approach to signing