tech-pkg: Re: little hacking project: bulk build checksums

Subject: Re: little hacking project: bulk build checksums
To: None <tech-pkg@NetBSD.org>
From: Jan Schaumann <jschauma@netmeister.org>
List: tech-pkg
Date: 01/23/2005 12:04:19

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Alistair Crooks <agc@pkgsrc.org> wrote:
> On Sun, Jan 23, 2005 at 03:56:35AM +0100, Hubert Feyrer wrote:
> > On Sun, 23 Jan 2005, grant beattie wrote:
> > >we have the ability to cryptographically sign binary packages, which
> > >can be automatically verified by pkg_add.
> >=20
> > I hear that myth on and off, but never found any documentation, usage=
=20
> > examples etc. on it. Can you tell us more about it?
=20
> pkg_add(1) contains the following text:
>=20
>      -s verification-type
>              Use a callout to an external program to verify the binary pa=
ckage
>              being installed against an existing detached signature file.=
  The
>              signature file must reside in the same directory as the bina=
ry
>              package.  At the present time, the following verification ty=
pes
>              are defined: none, gpg and pgp5.

[...]

> To make a digital signature of a binary package is very simple:
>=20
> 	% gpg -b <binary-package-name>
>=20
> will make the detached signature file.

Which, however, brings back the problem of not having a PGP tool in the
base system.  Our pkg tools should not rely on third-party software for
the verification or creation of signatures.

For that reason, I would probably tend more torwards the openssl
approach, be it based on smime file signing or certificates.  I would
assume that it would be beneficial for the project to have a cert it
could ship with in the base system.

Alas, I feel we're rehashing the discussion from last May
(http://mail-index.netbsd.org/tech-security/2004/05/ -- as was pointed
out to me in this thread elsewhere).

-Jan

--=20
I always said there was something fundamentally wrong with the universe.

--gKMricLos+KVdGMg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFB89kTfFtkr68iakwRAvBEAJwPNEXRLEWa981M/kCUR5W9cpyP8wCgw6E3
Rf0noEFgadmVNz6SZSYoskU=
=CSJd
-----END PGP SIGNATURE-----

--gKMricLos+KVdGMg--