pkg/48194: Fixing signed packages in pkg_install and pkgsrc

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
From: Pierre Pronchery <khorben%NetBSD.org@localhost>
Date: Sun, 8 Sep 2013 23:30:00 +0000 (UTC)

>Number:         48194
>Category:       pkg
>Synopsis:       Signed packages easily generated and installed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 08 23:30:00 +0000 2013
>Originator:     Pierre Pronchery
>Release:        NetBSD 6.1_STABLE
>Organization:
The NetBSD Foundation
>Environment:
System: NetBSD kwarx.defora.lan 6.1_STABLE NetBSD 6.1_STABLE (SPLASH) #3: Mon 
Aug 12 00:52:39 CEST 2013 
khorben%kwarx.defora.lan@localhost:/home/amd64/obj.6/sys/arch/amd64/compile/SPLASH
 amd64
Architecture: x86_64
Machine: amd64
>Description:
pkgsrc has been supporting signed packages since 2001, with mechanisms
based on either GPG keys or X509 certificates. pkg_add(1) may however
fail at installing such packages in some conditions, due to
uninitialized variables in the code used to extract the package signed
from its container.
>How-To-Repeat:
This example uses a GPG key, which has to be generated beforehand.

Configure pkg_install:
$ cat /etc/pkg_install.conf
GPG=/home/khorben/bin/gpg
GPG_SIGN_AS=root%edgebsd.org@localhost
VERIFIED_INSTALLATION=always

Sign a package:
$ mkdir signed
$ pkg_admin gpg-sign-package digest-20121220.tgz signed/digest-20121220.tgz

Try to install the resulting package:
$ pkg_add -v signed/digest-20121220.tgz
gpg: Signature made Sun Sep  8 03:32:11 2013 UTC using RSA key ID 6F3AF5E2
gpg: Good signature from "EdgeBSD packages <root%edgebsd.org@localhost>"
pkg_add: 1 package addition failed

>Fix:

X-Git-Url: 
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff_plain;h=1a4a18342a5d49ce9a93ab0689b4aa04dfc40847

Fixed installation of signed packages (uninitialized variables)
---

diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c 
b/pkgtools/pkg_install/files/lib/pkg_signature.c
index 089234e..5e837be 100644
--- a/pkgtools/pkg_install/files/lib/pkg_signature.c
+++ b/pkgtools/pkg_install/files/lib/pkg_signature.c
@@ -326,6 +326,9 @@ pkg_verify_signature(const char *archive_name, struct 
archive **archive,
        *pkgname = NULL;
 
        state = xmalloc(sizeof(*state));
+       state->sign_block_len = 0;
+       state->sign_block_number = 0;
+       state->sign_cur_block = 0;
        state->sign_blocks = NULL;
        state->sign_buf = NULL;
        state->archive = NULL;

See also the following discussion on how to generate signed packages
directly from pkgsrc:
http://mail-index.netbsd.org/pkgsrc-users/2013/08/30/msg018511.html

Patches are also available for pkgsrc, see:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff_plain;h=b2ad0ec7e434d221d92218c52b18558a825f5ec9

HTH,
-- 
khorben

Follow-Ups:
- Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
  - From: Alistair Crooks

Prev by Date: Re: pkg/42142 bootstrap-pkgsrc fails on OSF1 alpha
Next by Date: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Previous by Thread: Re: pkg/42142 bootstrap-pkgsrc fails on OSF1 alpha
Next by Thread: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index