Re: officially signed packages

To: tech-pkg%netbsd.org@localhost
Subject: Re: officially signed packages
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sun, 06 Apr 2014 18:37:36 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hi Fredrik, tech-pkg@,

On 06/04/2014 17:58, Fredrik Pettai wrote:
> On Jan 22, 2014, at 17:51 , Jeremy C. Reed <reed%reedmedia.net@localhost>
> wrote:
>> What do we need to do next to get officially signed packages?
>> 
>> I saw the thread at 
>> http://mail-index.netbsd.org/pkgsrc-users/2013/08/30/msg018511.html
>>
>>
>> 
Should we have some role account for GPG_SIGN_AS ?

I think that would be great. Some steps are probably necessary before
we can provide signed packages by default though.

>> p.s. Should this ticket be closed? http://gnats.netbsd.org/48194

Thanks for the heads-up, I have just closed it.

> I noted that khorben@ committed (the final?) updates to pkgsrc
> infrastructure, so it's time to resurrect this thread again.

:)

> What's the next step(s)?

I'd say one important thing is the ability to verify package
signatures without relying on any package to be installed already. I
think that's possible for X509-based signatures. In the case of GPG
signatures though, installing security/gnupg is currently required -
and it obviously can't verify itself while installing.

Checking GPG signatures could however be done with netpgp(1) from
base. It doesn't work out of the box yet, but it shouldn't be much
work to achieve (?). Feel free to beat me to it in any case :)

Once this done I feel like it should be possible to let official
NetBSD releases default to signed binary packages, shipping the
release with the GPG public key pre-installed (possibly in a distinct
keyring), and then strictly checking the signatures by default. This
may be problematic on slow architectures though, this will require
testing on the slower models of each to ensure operations on packages
are still usable - when installing in particular.

On a related note, the file format for signed packages isn't
particularly great at the moment. It will probably make sense to
re-design it at some point, but to me this is not a blocker.

HTH,
- -- 
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJTQYLQAAoJEDA4y9uYhpcDVmMQAJBXLkNFNUa3twIdFPsLkWGc
fz0XWm8KS36dAInqfxIMgYn9ldwejY+ARvqNl9xTkzUSnKi8WNKKJO1PLFbHEeFg
Boz/BC3urqv20fL4XI4V+YtQY9MFNPXmRffPaUR3fOkz1pXvilgyF8dNHxh5PA/d
6wfsETCyhXP1Dl3z56/cBv7V2JlxZH353AVGdpWBwP5IlFAVidz6tHVEiZE07KcU
i1stRuZsO7orMt/xeDpDNhDdjmn8dXnIp+FevwDvweKZsHfKWoZD4yoZwB4O3dcu
ZRTKbhMSRK2cOCcVOagRLYE3Ggs7AY8wAMsPJmMZ3my6zz3HiQ6IvZbXabQyBiqX
Yh2pq0oQSJuXHQhupUwlRVwFJR9xuQa65bQDYVOt6bTt6zIB6bho3z2FJ3Vk54lY
FqNO8pfiT+3F8UAAOrpdDnloReYnj/wO3gf+BQFVzbHr/NOu0d8X9w8P+1dgN/0r
RHR01yv9nXBlNwZkv3OQnXyQAUUIyWQ2bfuh3kwTt59xjICXQxdVKv5P7QWsINHA
bTpE18ahndhnf6zBhInVPqibC09SFjr3oBy2VT6H3gAlM+7ApVqKHlEM6aR+DwFV
73zEjfPA4bewXVttaKED+haM6SF0GvfBdGfd17BNaC0FoikcSH1m6sKd3pHmFmQe
08y0tAC180GeOau7Ds/p
=SOmt
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: officially signed packages
  - From: Alistair Crooks
- Re: officially signed packages
  - From: Fredrik Pettai

References:
- officially signed packages
  - From: Jeremy C. Reed
- Re: officially signed packages
  - From: Fredrik Pettai

Prev by Date: Re: officially signed packages
Next by Date: Re: officially signed packages
Previous by Thread: Re: officially signed packages
Next by Thread: Re: officially signed packages
Indexes:

Home | Main Index | Thread Index | Old Index