tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Signature verification with netpgpverify

* On 2015-02-02 at 16:41 GMT, Jonathan Perkin wrote:

> We're looking to start signing our quarterly packages, but it annoyed
> me that I had to include gpg and thus a bunch of other things in our
> bootstrap kits which are supposed to be minimal, and that there was no
> way to disable the horribly verbose output, i.e.:
>   $ pkg_add digest-20121220.tgz
>   gpg: Signature made Mon  2 Feb 16:16:27 2015 GMT using RSA key ID D532A578
>   gpg: Good signature from "Jonathan Perkin <>"
>   gpg:                 aka "Jonathan Perkin <>"
>   gpg:                 aka "Jonathan Perkin <>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the owner.
>   Primary key fingerprint: 785C 44DA 3311 37B3 3B1F  CA0B 215E 7BAF D532 A578
> This quickly gets tedious when installing a lot of packages, and
> trains users to ignore gpg output.
> So I wrote a diff for pkg_install to instead use Al's netpgpverify
> library to perform signature verification inline and with Unix-style
> output (i.e. nothing unless there is an error).

We've been running these changes in production on SmartOS and OSX now
since 2014Q4, and I'd like to integrate them for general use ready for
the 2015Q3 branch.

I committed the netpgpverify fixes to pkgsrc this morning, so the
remaining patch is to enable support in pkg_install.  The diff to do
that is here:

Please review.  Feedback from various people has been that there is no
desire to retain support for verification using an external gpg
command.  If you disagree please argue your case, but note that this
will complicate matters and push this work back beyond 2015Q3.

I'll commit in a couple of weeks unless there are objections.


Jonathan Perkin  -  Joyent, Inc.  -

Home | Main Index | Thread Index | Old Index