tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Handling GPG signatures for pkgsrc with netpgp

		Hi Alistair, tech-pkg@,

On 03/02/2017 19:05, Alistair Crooks wrote:
Sorry, thought I'd already given the go-ahead to commit your changes; I
certainly don't want to be a roadblock in these kind of things.

Understood, thank you :)

I currently do not have much time to look at this, but with your approval, I will try to commit the changes as soon as I get the chance.

There is an issue though: I believe you are the official upstream for netpgp, and I could not find any public repository for it. My intention was therefore to make sure these patches would be approved and find their way there first.

Alternatively I can commit the changes in both NetBSD's src and pkgsrc tree. It will be a bit complicated in pkgsrc though, since multiple, unrelated changes will be split across many patch files.

Do you think we could work on a solution in this regard? Would it be possible to work on netpgp in a public repository, issue new releases from this repository and host them somewhere?

Incidentally, you may want to update your cert on edgebsd - chrome tells

I am working on this, and have imported security/py-acme-tiny to fix it with a certificate signed by Let's Encrypt.

-- khorben

On 2 February 2017 at 14:35, Pierre Pronchery <
<>> wrote:

                            Hi tech-pkg@,

    I would like to mention that I have made good progress in the
    context of handling GPG signatures for pkgsrc with netpgp instead of
    GnuPG, and I am now able to use netpgp to both generate and verify
    signed binary packages from pkgsrc! Some bugs are still lurking, but
    this is a start.

    It currently requires applying the packages attached, and setting
    the gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:

    There is a security issue with this setup - without being a
    regression though. Long story short, it is possible to fool netpgp
    into reporting what looks like a detached signature as being
    successfully verified, whereas it will look at content within the
    signature instead of the file to verify. I have no patch to fix this

    I sent these patches to agc@ and security-officer@ for review back
    on October 10th when I had more time to work on this, but I need to
    carry on so I am posting it here. As usual clones of my work
    repositories can be found there:;a=summary

    Being cryptography software and not my own code in the first place,
    I will appreciate a green light before committing any of these. This
    is quite exciting though, as save for a few issues remaining, it is
    no longer necessary to bootstrap GnuPG to import keys or support
    signed packages :)

    -- khorben

    On 05/10/2016 01:57, Pierre Pronchery wrote:

        I thought you might want to know, I have managed to create
        binary packages with pkgsrc, using netpgp alone (and without any
        additional patch) thanks to the wrapper attached. It only requires
        setting GPG=gpg2netpgp in pkg_install.conf.

        By the way, I am writing to you directly assuming you are the
        maintainer for netpgp; please let me know if there is a different
        upstream nowadays.

        -- khorben

        On 08/09/2016 17:57, Pierre Pronchery wrote:

            On 09/ 8/16 09:24 AM, Alistair Crooks wrote:

                Thanks for your mail and patch.

                I'll have a look at this one tomorrow, it's a bit late

            I have found another crash, if netpgpkeys fails to import a
            key while
            the keyring is still empty:

            $ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
            netpgp: warning homedir "/tmp/nonexistent" not found
            /tmp/nonexistent/pubring.gpg: No such file or directory
            Can't read pubring /tmp/nonexistent/pubring.gpg
            Can't read pub keyring
            Segmentation fault

            The patch attached fixes this issue.

            -- khorben

                On 7 September 2016 at 08:48, Pierre Pronchery
                < <>
                < <>>>

                                            Hi Alistair,

                    I hope you are doing good. I have encountered this
                bug in NetPGP:

                    $ netpgpkeys --import-key
                    Segmentation fault

                    In this case, I would expect netpgpkeys to either
                bail, or read keys
                    from the standard input. I have written a patch for
                the latter,
                    which I am attaching here.

                    Let me know what you think.




Home | Main Index | Thread Index | Old Index