[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
signed packages documentation
I build (small, with non-default options) package sets for two arches
for my own use, and I am thinking about what it would take to sign and
verify these. Plus I'm asking for a friend :-)
Looking at the pkg_foo docs, even as someone who understands the
underlying issues and software, I have a lot of questions.
This is really a request for that mythical someone to improve the docs,
rather than just tell me answers. My overall read is that all the
pieces are there, but it's not explained well enough to just get it
right from the docs.
pkg_create does not say anything about signed packages. Most of the
following probably should be addressed in pkg_create(1).
pkg_install.conf mentions "GPG_SIGN_AS" as a config variable. It
doesn't speak to where the key is, or what program is used to sign.
We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.
There is no explanation of whether or not one can create a package,
and sign it later, or if this can be done only at creation time.
There is no real explanation of how to come up with a keypair and how
to produce the bits needed for validation. (Only needs to be
understanable by people that have used openpgp and basically
understand, in my view.)
Assuming gpg is used, it is not clear whether gpg is available to
pkg_create when creation is done within the context of pbulk.
Building packages and signing them as an automated process seems to
require a key without a passphrase or gpg-agent. This isn't explained
at all. It seems obvious that gpg-agent is preferred to a key without
There is some notion of certificate chains, and it is not clear if
there is any provision for including these in a signed package,
similar to have pkix sends a cert chain for TLS.
pkg_add has the barest of references to configuring the use of
signatures in pkg_install.conf. Perhaps this is ok.
CERTIFICATE_ANCHOR_PKGS is said to be for PEM-encoded "certificates".
This smells like X.509/pkix, but I think it's OpenPGP. But OpenPGP
tends to talk about keys with signatures, even though I realize that
is the same thing.
The entire notion of "certificate chain" is confusing. With pkix,
there are clear validation rules. With OpenPGP, it's very hazy to me.
Does this mean "certificate that GnuPG will trust based on its
configuration"? With compiled-in defaults? Something else? This
really starts to feel like authorization as any validated cert will be
trusted to vouch for packages, which is blurring the usual PKI lines.
The CERTIFICATE_CHAIN file seems not to be a chain per se but
basically a bunch of keys that can be used to search for a certification
path. That's ok, but it should probably be bit more clearly stated
because a reader might expect that things are really like pkix.
The variable GPG is said to be for pkg-vulnerabilities, but there is
no mention of whether that is used for checking signed packages, and
if not what is.
Main Index |
Thread Index |