Hi tech-pkg@,
I would like to mention that I have made good progress in the context of handling GPG signatures for pkgsrc with netpgp instead of GnuPG, and I am now able to use netpgp to both generate and verify signed binary packages from pkgsrc! Some bugs are still lurking, but this is a start.
It currently requires applying the packages attached, and setting the gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:
GPG=/usr/local/bin/gpg2netpgp
There is a security issue with this setup - without being a regression though. Long story short, it is possible to fool netpgp into reporting what looks like a detached signature as being successfully verified, whereas it will look at content within the signature instead of the file to verify. I have no patch to fix this yet.
I sent these patches to agc@ and security-officer@ for review back on October 10th when I had more time to work on this, but I need to carry on so I am posting it here. As usual clones of my work repositories can be found there:
https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary
Being cryptography software and not my own code in the first place, I will appreciate a green light before committing any of these. This is quite exciting though, as save for a few issues remaining, it is no longer necessary to bootstrap GnuPG to import keys or support signed packages :)
Cheers,
-- khorben
On 05/10/2016 01:57, Pierre Pronchery wrote:
I thought you might want to know, I have managed to create GPG-signed
binary packages with pkgsrc, using netpgp alone (and without any
additional patch) thanks to the wrapper attached. It only requires
setting GPG=gpg2netpgp in pkg_install.conf.
By the way, I am writing to you directly assuming you are the official
maintainer for netpgp; please let me know if there is a different
upstream nowadays.
Cheers!
-- khorben
On 08/09/2016 17:57, Pierre Pronchery wrote:
On 09/ 8/16 09:24 AM, Alistair Crooks wrote:
Thanks for your mail and patch.
I'll have a look at this one tomorrow, it's a bit late tonight.
I have found another crash, if netpgpkeys fails to import a key while
the keyring is still empty:
$ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
netpgp: warning homedir "/tmp/nonexistent" not found
/tmp/nonexistent/pubring.gpg: No such file or directory
Can't read pubring /tmp/nonexistent/pubring.gpg
Can't read pub keyring
Segmentation fault
The patch attached fixes this issue.
HTH,
-- khorben
On 7 September 2016 at 08:48, Pierre Pronchery <khorben%defora.org@localhost
<mailto:khorben%defora.org@localhost>> wrote:
Hi Alistair,
I hope you are doing good. I have encountered this bug in NetPGP:
$ netpgpkeys --import-key
Segmentation fault
In this case, I would expect netpgpkeys to either bail, or read keys
from the standard input. I have written a patch for the latter,
which I am attaching here.
Let me know what you think.
Cheers,
--
khorben