tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Signed binary pkgs setup



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Wednesday, October 13th, 2021 at 19:59, Martin Husemann <martin%duskware.de@localhost> wrote:

> Hey folks,
>
> I am trying to set up a test environment to create x509 signed binary
>
> pkgs. Signing seems to work, but pkg_info is a bit unhappy about the
>
> result:
>
> --8<--
>
> > pkg_info /others/packages/x86_64/All/digest-20190127.tgz
>
> pkg_info: Failed to verify signature
>
> Information for /others/packages/x86_64/All/digest-20190127.tgz:
>
> Comment:
>
> Message digest wrapper utility
>
> [...]
>
> -->8--
>
> Manually extracting the pkg and checking the included signature shows
>
> what I'd expect:
>
> --8<--
>
> > openssl pkcs7 -noout -print_certs -text -in ./+PKG_SIGNATURE
>
> Certificate:
>
> Data:
>
> Version: 3 (0x2)
>
> Serial Number: 1 (0x1)
>
> Signature Algorithm: sha256WithRSAEncryption
>
> Issuer: C=US, ST=Delaware, O=The NetBSD Foundation, OU=pkgsrc, CN=pkgsrc-security/emailAddress=pkgsrc-security%NetBSD.org@localhost
>
> Validity
>
> Not Before: Aug 22 16:50:00 2021 GMT
>
> Not After : Aug 22 16:50:00 2022 GMT
>
> Subject: C=US, ST=Delaware, O=The NetBSD Foundation, OU=pkgsrc, CN=TNF owned build machines
>
> Subject Public Key Info:
>
> Public Key Algorithm: rsaEncryption
>
> RSA Public-Key: (4096 bit)
>
> Modulus:
>
> 00:b7:68:c0:63:00:9c:bb:9d:ea:9d:e8:7f:d7:a4:
>
> ba:62:4d:34:fa:ea:7b:dc:eb:0a:d7:c2:ea:cf:e8:
>
> 51:7f:9a:64:14:b2:ba:fe:b9:6a:cd:2e:d0:d4:a7:
>
> ca:a1:83:39:91:61:17:d8:74:51:58:ad:ec:29:93:
>
> 54:00:fc:29:b8:46:2c:d9:9f:47:2e:4c:37:60:f6:
>
> 0c:80:b9:39:80:98:d7:a6:7d:b6:25:58:ea:a4:7c:
>
> b3:d9:ff:8c:29:1d:fa:d7:74:5a:d8:f3:f2:fa:c1:
>
> 8e:e8:b7:cd:00:bc:20:d7:67:d9:8a:af:6e:7b:b8:
>
> ab:24:8a:9a:e8:06:54:1a:8a:2f:c2:28:5b:6f:9c:
>
> 7c:a6:4b:34:e2:bc:67:00:51:3b:43:64:d7:e4:32:
>
> 75:50:f9:64:b6:5f:ed:02:df:9a:68:a3:d9:67:61:
>
> c7:b2:0c:9b:fb:04:49:88:ef:ad:8d:1c:3f:fa:1d:
>
> 41:0d:28:72:73:5d:dc:62:b3:5c:0c:f4:01:04:e6:
>
> 60:03:27:32:a5:c8:a5:6f:47:e8:4c:96:c9:c7:d0:
>
> 77:ff:e7:db:c0:64:79:ce:8e:6d:6b:d2:9a:80:e7:
>
> 56:d0:53:c1:cf:13:f9:58:94:04:11:7b:c7:e3:ae:
>
> 1e:27:92:66:05:b0:5a:9e:0a:eb:b4:30:1f:80:ee:
>
> 8a:c9:79:d9:f9:67:5b:1b:e3:cb:f1:17:f7:49:b2:
>
> 06:12:c6:e7:9a:cd:49:e6:73:9d:7c:bf:64:56:e0:
>
> 6e:76:8e:3d:59:e9:40:3d:5a:d6:5c:85:45:9b:b2:
>
> bf:62:5a:31:44:23:cf:f4:79:62:34:68:61:e3:2f:
>
> cb:d3:e9:f1:b1:dc:be:f9:1d:62:57:6c:ef:af:80:
>
> 19:e8:b7:24:26:93:e8:28:a7:d2:c2:49:1b:b3:98:
>
> ad:23:9f:f1:30:8d:c8:de:76:1d:7d:a9:74:a0:f9:
>
> 74:6d:6d:b7:59:0e:96:27:55:cb:47:ba:d5:8f:4b:
>
> 59:05:9c:f2:0c:3b:c3:8b:05:c2:42:00:ed:5f:5c:
>
> 84:05:60:ce:c4:be:40:87:ac:1c:a3:4c:c3:75:62:
>
> 86:4f:10:ad:48:db:29:ac:65:21:70:c8:70:b9:de:
>
> a2:af:c3:50:27:43:5d:05:5c:25:a7:e4:5d:a7:86:
>
> 0d:56:3e:f2:6b:b2:81:8e:b8:ea:0c:d6:5d:aa:8a:
>
> 91:d1:2a:cd:42:58:89:a6:45:a4:e3:66:92:70:48:
>
> f7:3e:72:4a:bf:cf:9a:eb:d9:5c:bf:52:2d:20:68:
>
> fb:9b:4c:60:94:67:fc:1a:f8:1d:c7:bc:d2:94:e3:
>
> d1:f1:ba:99:5a:48:12:ca:31:02:78:16:44:ad:6a:
>
> 72:62:87
>
> Exponent: 65537 (0x10001)
>
> X509v3 extensions:
>
> Netscape Comment:
>
> Certificate for binary pkgsrc packages
>
> X509v3 Subject Key Identifier:
>
> 21:1C:39:E2:E0:87:ED:CB:38:57:E6:F7:24:1E:B9:87:BC:22:30:4D
>
> X509v3 Authority Key Identifier:
>
> DirName:/C=US/ST=Delaware/O=The NetBSD Foundation/OU=pkgsrc/CN=pkgsrc-security/emailAddress=pkgsrc-security%NetBSD.org@localhost
>
> serial:00
>
> X509v3 Subject Alternative Name:
>
> email:pkgsrc-users%NetBSD.org@localhost
>
> X509v3 Extended Key Usage:
>
> Code Signing, E-mail Protection
>
> Signature Algorithm: sha256WithRSAEncryption
>
> 28:ab:80:21:ce:53:29:5d:16:ed:a4:4f:b0:b4:a5:f7:af:f7:
>
> 13:d5:97:ef:ef:06:31:43:dc:b9:74:5d:cc:c7:97:5c:f0:1f:
>
> 6b:21:a3:ab:d8:4d:da:82:2c:7b:3c:ec:7f:ca:6b:09:df:b5:
>
> 62:56:9f:f4:4e:78:95:fb:14:bd:5e:ff:eb:1c:9e:db:2d:c0:
>
> 0c:2a:cf:5f:43:8d:07:59:33:40:46:0d:bb:df:3d:c7:8a:20:
>
> 1d:60:62:4f:05:c5:0e:34:1b:dd:1e:2a:4a:bb:9a:48:0f:20:
>
> 1f:99:92:c8:8a:51:05:b2:64:6b:bf:28:1a:a1:de:00:76:d5:
>
> d9:62:a6:ea:44:4c:90:fe:c3:0b:5c:c6:63:f5:6f:e3:cd:a3:
>
> 1d:4a:b7:5a:a4:29:35:53:45:34:02:e2:59:be:96:b3:54:1a:
>
> 75:ad:f5:f4:2a:ae:be:b6:26:a6:a2:c4:7e:49:e4:42:01:0f:
>
> 77:2c:c7:78:6f:89:cf:03:f1:88:13:d6:5b:91:82:90:83:8a:
>
> be:c1:f6:f7:62:ca:9b:33:11:8b:d4:c0:b9:68:60:a9:58:0b:
>
> b8:15:a6:12:4e:b6:98:9e:36:06:d4:d5:70:c9:98:9c:7d:c3:
>
> 88:b4:9f:d0:13:85:9c:cf:dc:58:01:a4:b2:cc:d3:02:00:58:
>
> e9:18:a0:3a:5d:d3:6b:1c:8d:bb:0e:14:0f:4e:b2:39:66:8f:
>
> 30:b5:39:17:59:19:35:3c:48:f1:a9:b8:4d:3f:fc:c8:43:f9:
>
> 61:d4:3a:d2:34:37:38:d0:c0:3f:c1:68:cb:32:67:e9:fd:4a:
>
> a8:8f:f1:80:9a:98:6f:74:1b:5e:0b:59:6b:d0:9b:03:07:1e:
>
> 79:d4:1f:dd:0b:89:43:ce:2f:53:62:2c:a1:8e:25:aa:84:91:
>
> 3a:c3:c3:82:11:d9:d4:a3:b9:9d:d2:a2:71:e8:03:8c:46:84:
>
> de:f7:2a:5f:0a:c6:e1:26:4e:2c:c3:d0:aa:e6:aa:c9:b1:b3:
>
> 8c:ee:a5:19:b2:99:c9:1b:89:91:4d:7e:06:f3:9f:e9:e0:39:
>
> d0:42:67:57:da:b5:bf:06:5e:7f:fd:f5:df:43:d5:db:f1:78:
>
> 03:a6:cb:1c:35:c2:76:60:e6:dc:9e:1b:2c:4f:39:fb:23:4c:
>
> 70:36:89:52:fd:8c:8e:20:b8:f3:c6:f1:4e:5a:a5:54:7e:d2:
>
> f2:1b:94:74:87:1d:29:6d:10:da:7d:0b:c6:41:fa:5b:39:31:
>
> b0:ad:d4:ec:eb:22:7e:d1:31:69:96:26:0b:57:a7:70:e8:e5:
>
> a4:d5:c3:96:b2:4b:7f:6a:a0:24:c7:ff:90:86:5f:ed:26:27:
>
> d5:a9:5d:6a:d6:33:33:92
>
> Certificate:
>
> Data:
>
> Version: 1 (0x0)
>
> Serial Number: 0 (0x0)
>
> Signature Algorithm: sha256WithRSAEncryption
>
> Issuer: C=US, ST=Delaware, O=The NetBSD Foundation, OU=pkgsrc, CN=pkgsrc-security/emailAddress=pkgsrc-security%NetBSD.org@localhost
>
> Validity
>
> Not Before: Aug 22 16:45:55 2021 GMT
>
> Not After : Aug 22 16:45:55 2022 GMT
>
> Subject: C=US, ST=Delaware, O=The NetBSD Foundation, OU=pkgsrc, CN=pkgsrc-security/emailAddress=pkgsrc-security%NetBSD.org@localhost
>
> Subject Public Key Info:
>
> Public Key Algorithm: rsaEncryption
>
> RSA Public-Key: (4096 bit)
>
> Modulus:
>
> 00:a6:78:0c:9a:84:96:0c:67:1b:17:b4:37:6c:e7:
>
> f1:86:af:82:ae:68:da:9f:17:0d:eb:cf:16:e6:30:
>
> c8:99:bc:88:a1:52:49:94:98:6b:18:65:50:95:b1:
>
> de:ae:73:55:6f:12:f9:8b:41:8a:74:61:ab:56:a5:
>
> 11:1e:d4:f0:f0:23:7e:4d:ef:0c:87:e6:1e:dc:24:
>
> 3e:d2:ea:61:0b:34:3f:a2:2e:e8:83:40:a6:6f:4a:
>
> 15:74:98:62:d3:b6:cc:c1:72:be:70:2c:c6:e6:6f:
>
> 51:89:a1:7c:fd:26:f7:77:a4:29:ea:d5:1a:27:df:
>
> be:93:15:d7:da:54:7c:02:53:6c:65:c3:1a:0d:1d:
>
> 91:f2:15:e2:df:ec:63:89:fb:b9:41:09:54:02:9a:
>
> 22:82:09:d7:2f:d1:50:36:ad:ad:b3:cb:c3:1b:2f:
>
> 27:ff:82:74:82:d3:07:4a:43:4f:77:65:9b:13:12:
>
> bf:e8:f6:35:f2:d7:fd:b9:79:30:92:66:44:e0:e5:
>
> ea:b5:40:36:e8:da:eb:55:fc:5a:2d:d2:cf:9a:53:
>
> 2c:97:d5:87:53:b5:1a:61:00:3a:88:19:b1:9b:c3:
>
> 78:d9:77:a5:19:c7:ef:40:f9:ff:99:36:61:f4:b5:
>
> 2c:5a:13:78:55:b5:67:e5:3f:d9:65:8c:44:7e:c1:
>
> 6e:73:1b:07:74:ea:2a:b9:d9:10:bd:64:c5:77:01:
>
> b3:7c:b8:ee:1c:99:c5:6c:f1:1a:e9:51:80:fa:a1:
>
> f3:57:0e:8f:3b:80:17:7a:c5:97:1d:1e:fe:5c:d6:
>
> 15:0c:91:e0:3c:b5:d1:e6:d5:55:1f:a1:e2:e7:74:
>
> 92:8c:75:de:78:8a:7a:a0:ec:4a:04:62:e6:78:ec:
>
> bd:a9:83:ec:a5:b5:47:ef:48:2b:55:48:6d:2b:db:
>
> 17:cd:45:e7:d3:6d:7d:cf:ab:66:04:2b:c4:1d:97:
>
> dc:7a:c9:c7:eb:4c:66:0e:13:bd:2b:41:ce:d2:65:
>
> 46:fe:43:48:1c:a4:00:33:e9:e0:15:13:b8:df:c9:
>
> 1f:cb:62:f2:a8:35:86:c9:e3:bc:ef:1b:c1:b1:1d:
>
> 6c:18:54:6f:23:f4:f1:78:bd:ad:c0:cf:03:68:aa:
>
> 7e:6b:5f:2b:f9:ff:73:e5:41:ff:e8:1c:9f:fd:83:
>
> 3e:1d:cf:27:92:48:c7:42:fc:f4:ed:a7:7d:41:8d:
>
> df:6e:3b:2e:23:c1:ba:a7:10:bc:2d:d0:8b:4a:fb:
>
> db:f7:1a:e4:25:5a:88:69:c9:b7:a2:23:4c:9f:59:
>
> 34:27:8d:e8:f3:ac:d5:5a:47:9c:81:fa:fb:47:af:
>
> 81:24:10:80:8b:fe:6c:09:d4:6e:26:8a:f4:45:98:
>
> 42:66:65
>
> Exponent: 65537 (0x10001)
>
> Signature Algorithm: sha256WithRSAEncryption
>
> 1a:cc:a2:97:96:8a:00:fe:7c:97:a7:b0:11:57:99:35:d9:2a:
>
> 8e:12:92:30:9d:a8:0f:b5:4e:38:24:1b:cb:64:87:ea:c3:6a:
>
> 2d:e5:01:d4:8a:25:b9:2d:20:28:ec:d7:71:a6:26:ff:d4:d8:
>
> d9:b7:f0:16:c2:b0:c1:c8:f2:c3:db:7e:60:b5:14:c2:e7:47:
>
> 82:83:f2:8c:08:79:63:5a:9b:36:04:7e:d2:1e:f4:c0:94:6d:
>
> 5e:53:9c:cd:b6:ce:6a:fe:82:05:8b:3e:71:88:21:65:02:64:
>
> e8:95:b8:05:3f:75:72:02:7d:f1:3c:1d:60:06:c6:67:4b:c2:
>
> 3e:78:5b:f2:fb:7e:92:47:2b:5d:9a:0f:cd:e9:fd:de:55:e6:
>
> 97:ba:20:b6:64:e7:57:28:59:30:c3:05:d0:1b:e5:bf:77:a3:
>
> 17:1d:c6:70:e1:a1:23:09:0a:bf:63:17:c9:0f:f1:21:3f:2d:
>
> ff:7b:84:6f:db:96:18:d3:b4:50:c5:30:a3:ae:49:77:74:9c:
>
> 51:d2:d3:13:15:f0:c7:aa:c2:88:07:e7:c3:61:2f:ee:a3:ca:
>
> 2c:55:e2:ad:7d:f3:da:88:5e:87:70:a8:44:b3:7b:eb:27:7c:
>
> 57:b3:99:e6:93:05:a3:5c:06:cb:8a:40:ab:64:44:cf:20:d2:
>
> a6:35:d4:27:f8:3e:83:e3:25:74:e4:c8:1f:ff:84:85:a5:52:
>
> e0:dd:be:f9:ce:82:36:c0:85:2d:fa:c8:bc:e8:df:f1:a5:13:
>
> 2d:38:df:9f:c7:dd:2a:03:ae:c2:a7:b2:f9:d2:ff:04:41:f5:
>
> cc:0b:1e:85:6f:34:a1:ca:d9:2a:76:46:0c:d2:55:69:2b:e3:
>
> 68:fe:29:ff:6d:c9:a9:a4:a3:33:38:86:e2:9f:81:18:77:ef:
>
> 6c:f1:85:ce:c6:42:b5:63:cd:85:15:bf:63:e8:bc:6d:f3:b9:
>
> ad:ad:db:35:b3:b2:ab:8a:23:5f:a5:0a:cd:01:ab:df:e9:de:
>
> 98:ef:9b:49:cc:62:e9:e3:77:15:54:2c:68:3d:10:32:b7:ef:
>
> a1:58:40:1a:f0:a7:d9:89:65:64:24:60:17:b3:3f:6d:b8:4f:
>
> 10:11:91:44:07:c3:9c:b4:a5:cd:23:94:32:d4:c2:b5:71:8a:
>
> 0f:a5:9d:3a:6c:34:ac:b6:5e:cc:54:70:3b:c1:40:27:c3:06:
>
> 10:59:7d:e0:fe:3e:96:20:e0:b3:58:de:9e:97:c4:22:c9:58:
>
> e2:ce:96:51:9d:b5:23:8d:e7:ad:48:93:a2:8f:7b:b9:a7:b4:
>
> 02:67:c7:f5:4f:9e:24:b0:cd:c2:3c:e2:1b:c1:08:fe:50:17:
>
> 15:5c:04:7c:97:0d:ca:7e
>
> -->8--
>
> and these match CERTIFICATE_ANCHOR_PKGS (Not Before: Aug 22 16:50:00 2021 GMT)
>
> and CERTIFICATE_CHAIN (Not Before: Aug 22 16:45:55 2021 GMT).
>
> What am I missing?
>
> Martin

@jperkin has been using signed pkgs for ages. Any clue?!


Home | Main Index | Thread Index | Old Index