Re: signed packages documentation

To: tech-pkg%netbsd.org@localhost
Subject: Re: signed packages documentation
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Thu, 23 Jul 2020 21:55:41 +0200

On Thu, Jul 23, 2020 at 03:24:16PM -0400, Greg Troxel wrote:
> Joerg Sonnenberger <joerg%bec.de@localhost> writes:
> 
> > On Thu, Jul 23, 2020 at 11:36:38AM -0400, Greg Troxel wrote:
> >>   pkg_install.conf mentions "GPG_SIGN_AS" as a config variable.  It
> >>   doesn't speak to where the key is, or what program is used to sign.
> >>   We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.
> >
> > Read again? There are four paragraphs above that variable...
> 
> So is netpgp in the picture at all?  Or is it usable as a "GPG" program
> (which it isn't, but it looks like it is intended to be
> argument-compatible)?

It is used for the verification, but couldn't do the signing for some
reasons that I forgot.

> >>   There is some notion of certificate chains, and it is not clear if
> >>   there is any provision for including these in a signed package,
> >>   similar to have pkix sends a cert chain for TLS.
> >
> > There are two models for signing supported, using PGP signatures and
> > using x509 signatures. Certificate chains are used for the later.
> 
> The notion of two PKI models, and validation is not clearly explained
> anywhere.  So is it fair that:
> 
>   CERTIFICATE_ANCHOR_PKGS
>   CERTIFICATE_CHAIN
> 
> are (ignoring vulnerability file for now) only used for verifications,
> and if set is a declaration that packages must be signed with x509?

pkg_add opens the package, sees a signature and checks if it can verify
it. If it can, it considers the package signed, otherwise it continues.
A package can have a x509 signature, a PGP signature or both or none at
all. If a signature type is found and there is no corresponding trust
configured, the signature is rejected/ignored.

> I see GPG_KEYRING_VERIFY, but nothing speaks to how keys in the keyring
> are processed, in terms of needing to be marked trusted, validatable
> from trusted keys following gnupg defaults, just in the keyring, or ?

All valid keys in the keyring are considered trusted.

> Is there a technical/operational preference for gpg vs x509 here?

Technically, there are pretty much equivalent. IMO the hierachical trust
model of x509 fits better for an organisational use case, but opinions
differ.

Joerg

Follow-Ups:
- Re: signed packages documentation
  - From: Alistair Crooks
- Re: signed packages documentation
  - From: Havard Eidnes

References:
- signed packages documentation
  - From: Greg Troxel
- Re: signed packages documentation
  - From: Joerg Sonnenberger
- Re: signed packages documentation
  - From: Greg Troxel

Prev by Date: mono6 conflicts with chicken 5
Next by Date: Re: signed packages documentation
Previous by Thread: Re: signed packages documentation
Next by Thread: Re: signed packages documentation
Indexes:

Home | Main Index | Thread Index | Old Index