[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: signed packages documentation
On Thu, Jul 23, 2020 at 11:36:38AM -0400, Greg Troxel wrote:
> pkg_create does not say anything about signed packages. Most of the
> following probably should be addressed in pkg_create(1).
pkg_create doesn't deal with signed packages.
> pkg_install.conf mentions "GPG_SIGN_AS" as a config variable. It
> doesn't speak to where the key is, or what program is used to sign.
> We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.
Read again? There are four paragraphs above that variable...
> There is no explanation of whether or not one can create a package,
> and sign it later, or if this can be done only at creation time.
See first item.
> There is no real explanation of how to come up with a keypair and how
> to produce the bits needed for validation. (Only needs to be
> understanable by people that have used openpgp and basically
> understand, in my view.)
This doesn't even make sense to me.
> Building packages and signing them as an automated process seems to
> require a key without a passphrase or gpg-agent. This isn't explained
> at all. It seems obvious that gpg-agent is preferred to a key without
> a passphrase.
Those are two options. The third option is to upload to a second system
and do the signing on that one, so that the key material is not
available to the build environment at all.
> There is some notion of certificate chains, and it is not clear if
> there is any provision for including these in a signed package,
> similar to have pkix sends a cert chain for TLS.
There are two models for signing supported, using PGP signatures and
using x509 signatures. Certificate chains are used for the later.
Main Index |
Thread Index |