tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: signed packages documentation

On Thu, Jul 23, 2020 at 03:24:16PM -0400, Greg Troxel wrote:
> Joerg Sonnenberger <> writes:
> > On Thu, Jul 23, 2020 at 11:36:38AM -0400, Greg Troxel wrote:
> >>   pkg_install.conf mentions "GPG_SIGN_AS" as a config variable.  It
> >>   doesn't speak to where the key is, or what program is used to sign.
> >>   We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.
> >
> > Read again? There are four paragraphs above that variable...
> So is netpgp in the picture at all?  Or is it usable as a "GPG" program
> (which it isn't, but it looks like it is intended to be
> argument-compatible)?

It is used for the verification, but couldn't do the signing for some
reasons that I forgot.

> >>   There is some notion of certificate chains, and it is not clear if
> >>   there is any provision for including these in a signed package,
> >>   similar to have pkix sends a cert chain for TLS.
> >
> > There are two models for signing supported, using PGP signatures and
> > using x509 signatures. Certificate chains are used for the later.
> The notion of two PKI models, and validation is not clearly explained
> anywhere.  So is it fair that:
> are (ignoring vulnerability file for now) only used for verifications,
> and if set is a declaration that packages must be signed with x509?

pkg_add opens the package, sees a signature and checks if it can verify
it. If it can, it considers the package signed, otherwise it continues.
A package can have a x509 signature, a PGP signature or both or none at
all. If a signature type is found and there is no corresponding trust
configured, the signature is rejected/ignored.

> I see GPG_KEYRING_VERIFY, but nothing speaks to how keys in the keyring
> are processed, in terms of needing to be marked trusted, validatable
> from trusted keys following gnupg defaults, just in the keyring, or ?

All valid keys in the keyring are considered trusted.

> Is there a technical/operational preference for gpg vs x509 here?

Technically, there are pretty much equivalent. IMO the hierachical trust
model of x509 fits better for an organisational use case, but opinions


Home | Main Index | Thread Index | Old Index