Re: Obstacles to get signed binary pkgs

[Martin Husemann <martin%duskware.de@localhost>]

On Fri, Jan 31, 2020 at 09:46:04AM +0000, Jonathan Perkin wrote:

Thanks a lot, very helpful! Skipping the technical details for now...

> These are the questions I can't answer.  NetBSD is going to be
> different to all the other OS that have package signing enabled, as
> you ship pkg_install with the OS.  For us it's easy, we distribute the
> pkg_install bootstrap kit bundled with all the bits necessary for
> verifying its signed packages.
> 
> As an added bonus we also include the pkgsrc-security key so that the
> vulnerabilities file can be verified out of the box, and distribute
> this as a package so that it can be updated whenever the key changes.
> This is configured with GPG_KEYRING_PKGVULN in pkg_install.conf.

Is the following a practical aproach?

 - We add the NetBSD security officer public key (as of the time a release
   is generated) to our (base system) distribution, e.g. as part of the
   "etc" set.

 - We assume that binaries to a each individual pkg repository (i.e. ftp
   server directory) are build by a single build environment. Each gets
   a signing key (not necessarily unique) and the public key of that
   is stored at the root of the pkg repository, and officially
   signed by the NetBSD security officer. The pkgsrc-security key
   with same handling too.

 - We can switch keys any time we start a pkg build from scratch. Or the
   other way around: if we need to switch keys, all pkgs need to be
   rebuild.

Not quite sure yet how to most easily make the initial install available
and self-verified, but whether it is pkgin, a script, or some special
functionality in sysinst can be discussed later.


Would that work? Did I overlook something?

Martin