Re: Handling GPG signatures for pkgsrc with netpgp

[Pierre Pronchery <khorben%defora.org@localhost>]

		Hi Alistair, tech-pkg@,

On 03/02/2017 19:05, Alistair Crooks wrote:
> Sorry, thought I'd already given the go-ahead to commit your changes; I
> certainly don't want to be a roadblock in these kind of things.

Understood, thank you :)

I currently do not have much time to look at this, but with your 
approval, I will try to commit the changes as soon as I get the chance.

There is an issue though: I believe you are the official upstream for 
netpgp, and I could not find any public repository for it. My intention 
was therefore to make sure these patches would be approved and find 
their way there first.

Alternatively I can commit the changes in both NetBSD's src and pkgsrc 
tree. It will be a bit complicated in pkgsrc though, since multiple, 
unrelated changes will be split across many patch files.

Do you think we could work on a solution in this regard? Would it be 
possible to work on netpgp in a public repository, issue new releases 
from this repository and host them somewhere?

> Incidentally, you may want to update your cert on edgebsd - chrome tells
> me "NET::ERR_CERT_AUTHORITY_INVALID" for git.edgebsd.org
> <http://git.edgebsd.org>

I am working on this, and have imported security/py-acme-tiny to fix it 
with a certificate signed by Let's Encrypt.

Cheers,
-- khorben

> On 2 February 2017 at 14:35, Pierre Pronchery <khorben%defora.org@localhost
> <mailto:khorben%defora.org@localhost>> wrote:
>
>                             Hi tech-pkg@,
>
>     I would like to mention that I have made good progress in the
>     context of handling GPG signatures for pkgsrc with netpgp instead of
>     GnuPG, and I am now able to use netpgp to both generate and verify
>     signed binary packages from pkgsrc! Some bugs are still lurking, but
>     this is a start.
>
>     It currently requires applying the packages attached, and setting
>     the gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:
>     GPG=/usr/local/bin/gpg2netpgp
>
>     There is a security issue with this setup - without being a
>     regression though. Long story short, it is possible to fool netpgp
>     into reporting what looks like a detached signature as being
>     successfully verified, whereas it will look at content within the
>     signature instead of the file to verify. I have no patch to fix this
>     yet.
>
>     I sent these patches to agc@ and security-officer@ for review back
>     on October 10th when I had more time to work on this, but I need to
>     carry on so I am posting it here. As usual clones of my work
>     repositories can be found there:
>     https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary
>     <https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary>
>
>     Being cryptography software and not my own code in the first place,
>     I will appreciate a green light before committing any of these. This
>     is quite exciting though, as save for a few issues remaining, it is
>     no longer necessary to bootstrap GnuPG to import keys or support
>     signed packages :)
>
>     Cheers,
>     -- khorben
>
>     On 05/10/2016 01:57, Pierre Pronchery wrote:
>
>         I thought you might want to know, I have managed to create
>         GPG-signed
>         binary packages with pkgsrc, using netpgp alone (and without any
>         additional patch) thanks to the wrapper attached. It only requires
>         setting GPG=gpg2netpgp in pkg_install.conf.
>
>         By the way, I am writing to you directly assuming you are the
>         official
>         maintainer for netpgp; please let me know if there is a different
>         upstream nowadays.
>
>         Cheers!
>         -- khorben
>
>         On 08/09/2016 17:57, Pierre Pronchery wrote:
>
>             On 09/ 8/16 09:24 AM, Alistair Crooks wrote:
>
>                 Thanks for your mail and patch.
>
>                 I'll have a look at this one tomorrow, it's a bit late
>                 tonight.
>
>
>             I have found another crash, if netpgpkeys fails to import a
>             key while
>             the keyring is still empty:
>
>             $ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
>             netpgp: warning homedir "/tmp/nonexistent" not found
>             /tmp/nonexistent/pubring.gpg: No such file or directory
>             Can't read pubring /tmp/nonexistent/pubring.gpg
>             Can't read pub keyring
>             Segmentation fault
>
>             The patch attached fixes this issue.
>
>             HTH,
>             -- khorben
>
>                 On 7 September 2016 at 08:48, Pierre Pronchery
>                 <khorben%defora.org@localhost <mailto:khorben%defora.org@localhost>
>                 <mailto:khorben%defora.org@localhost <mailto:khorben%defora.org@localhost>>>
>                 wrote:
>
>                                             Hi Alistair,
>
>                     I hope you are doing good. I have encountered this
>                 bug in NetPGP:
>
>                     $ netpgpkeys --import-key
>                     Segmentation fault
>
>                     In this case, I would expect netpgpkeys to either
>                 bail, or read keys
>                     from the standard input. I have written a patch for
>                 the latter,
>                     which I am attaching here.
>
>                     Let me know what you think.
>
>                     Cheers,
>
>
>     --
>     khorben


--
khorben