pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Signature key id b5952cabdd765a20 not found



* On 2022-10-01 at 21:46 BST, Roland Illig wrote:

Am 01.10.2022 um 22:18 schrieb Jonathan Perkin:
* On 2022-10-01 at 21:07 BST, Roland Illig wrote:

My next step was to run 'man pkg_install.conf', as indicated by the 'SEE
ALSO' section in 'man pkg_info'. There, I found that I could disable the
verification. What was missing was the information about how to properly
set up package verification.

You need to set GPG_KEYRING_VERIFY to point to a keyring file that
contains the public key used to sign the packages.

I solved the problem by starting from scratch, following the
instructions on https://pkgsrc.joyent.com/install-on-netbsd/.

Oh you're using my package kits.  In that case you missed this email:

  https://mail-index.netbsd.org/pkgsrc-users/2022/07/18/msg035942.html

The PGP key changed as part of the infrastructure migration, hence requiring a new keyring.

I don't know where the key ID comes from. I tried this:

$ netpgpkeys --list-keys --keyring=/usr/pkg.old/etc/gnupg/pkgsrc.gpg
1 key found
"pub" 4096/"RSA (Encrypt or Sign)" "60115c645d402cc3" 2020-07-21
Key fingerprint: "c100 ee37 7b92 1a0d 477e 5dde 6011 5c64 5d40 2cc3 "
uid              "Joyent Package Signing (NetBSD) <pkgsrc%joyent.com@localhost>" ""
encryption 4096/"RSA (Encrypt or Sign)" "96c4af7fb9d919f5" 2020-07-21

This doesn't look like the b5952cabdd765a20 from the subject.

Yeh, netpgp has a weird way of displaying the key, and I also don't understand how to map it to a GPG key id.

The newly downloaded bootstrap kit contains the correct key though. I
wonder where the old key came from or how I could find out more about
that old key, given only its key ID.

Explained above.

There's still a lot of work to be done until signed binary packages are
user-friendly. Having the packages signed is something I really like
though. I regard it as a basic requirement rather than a feature.

There are some rough edges, but on the whole they work brilliantly and I've been shipping them for around 8 years now with very few complaints over many millions of installs. The key migration is something I've not had to do up until recently, and it's hopefully a one-time thing.

--
Jonathan Perkin   -   mnx.io   -   pkgsrc.smartos.org
Open Source Complete Cloud   www.tritondatacenter.com


Home | Main Index | Thread Index | Old Index