tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Obstacles to get signed binary pkgs

A few thoughts inline

On Fri, 31 Jan 2020 at 02:35, Martin Husemann <> wrote:
On Fri, Jan 31, 2020 at 09:46:04AM +0000, Jonathan Perkin wrote:

Thanks a lot, very helpful! Skipping the technical details for now...

> These are the questions I can't answer.  NetBSD is going to be
> different to all the other OS that have package signing enabled, as
> you ship pkg_install with the OS.  For us it's easy, we distribute the
> pkg_install bootstrap kit bundled with all the bits necessary for
> verifying its signed packages.
> As an added bonus we also include the pkgsrc-security key so that the
> vulnerabilities file can be verified out of the box, and distribute
> this as a package so that it can be updated whenever the key changes.
> This is configured with GPG_KEYRING_PKGVULN in pkg_install.conf.

Is the following a practical aproach?

 - We add the NetBSD security officer public key (as of the time a release
   is generated) to our (base system) distribution, e.g. as part of the
   "etc" set.

Let's add the pkgsrc-security pub key, as well as the NetBSD one - validity of pkgsrc-security is one year, and it has both signing and encryption keys on there, so I think it's a better fit. It's also probably the more correct in terms of roles :)

Alternatively, we should cut a new key, solely for signing of releases. As Jonathan notes later on, validity across releases is a necessary item.
 - We assume that binaries to a each individual pkg repository (i.e. ftp
   server directory) are build by a single build environment. Each gets
   a signing key (not necessarily unique) and the public key of that
   is stored at the root of the pkg repository, and officially
   signed by the NetBSD security officer. The pkgsrc-security key
   with same handling too.

 - We can switch keys any time we start a pkg build from scratch. Or the
   other way around: if we need to switch keys, all pkgs need to be

Not quite sure yet how to most easily make the initial install available
and self-verified, but whether it is pkgin, a script, or some special
functionality in sysinst can be discussed later.

Would that work? Did I overlook something?


I've also got some code that should hit a tree RSN that will use another approach to signing

Home | Main Index | Thread Index | Old Index