pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/48194: Fixing signed packages in pkg_install and pkgsrc

>Number:         48194
>Category:       pkg
>Synopsis:       Signed packages easily generated and installed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 08 23:30:00 +0000 2013
>Originator:     Pierre Pronchery
>Release:        NetBSD 6.1_STABLE
The NetBSD Foundation
System: NetBSD kwarx.defora.lan 6.1_STABLE NetBSD 6.1_STABLE (SPLASH) #3: Mon 
Aug 12 00:52:39 CEST 2013 
Architecture: x86_64
Machine: amd64
pkgsrc has been supporting signed packages since 2001, with mechanisms
based on either GPG keys or X509 certificates. pkg_add(1) may however
fail at installing such packages in some conditions, due to
uninitialized variables in the code used to extract the package signed
from its container.
This example uses a GPG key, which has to be generated beforehand.

Configure pkg_install:
$ cat /etc/pkg_install.conf

Sign a package:
$ mkdir signed
$ pkg_admin gpg-sign-package digest-20121220.tgz signed/digest-20121220.tgz

Try to install the resulting package:
$ pkg_add -v signed/digest-20121220.tgz
gpg: Signature made Sun Sep  8 03:32:11 2013 UTC using RSA key ID 6F3AF5E2
gpg: Good signature from "EdgeBSD packages <>"
pkg_add: 1 package addition failed



Fixed installation of signed packages (uninitialized variables)

diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c 
index 089234e..5e837be 100644
--- a/pkgtools/pkg_install/files/lib/pkg_signature.c
+++ b/pkgtools/pkg_install/files/lib/pkg_signature.c
@@ -326,6 +326,9 @@ pkg_verify_signature(const char *archive_name, struct 
archive **archive,
        *pkgname = NULL;
        state = xmalloc(sizeof(*state));
+       state->sign_block_len = 0;
+       state->sign_block_number = 0;
+       state->sign_cur_block = 0;
        state->sign_blocks = NULL;
        state->sign_buf = NULL;
        state->archive = NULL;

See also the following discussion on how to generate signed packages
directly from pkgsrc:

Patches are also available for pkgsrc, see:;a=commitdiff_plain;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9


Home | Main Index | Thread Index | Old Index