Re: Signed binary pkgs setup

To: Martin Husemann <martin%duskware.de@localhost>
Subject: Re: Signed binary pkgs setup
From: Thomas Merkel <tm%NetBSD.org@localhost>
Date: Fri, 15 Oct 2021 10:30:10 +0200

Hi Martin,

* Martin Husemann <martin%duskware.de@localhost> [2021-10-15 07:49]:
> On Wed, Oct 13, 2021 at 11:50:12PM +0200, Hubert Feyrer wrote:
> > Hi,
> > 
> > > Am 13.10.2021 um 20:00 schrieb Martin Husemann <martin%duskware.de@localhost>:
> > >
> > >        Validity
> > >            Not Before: Aug 22 16:50:00 2021 GMT
> > >            Not After : Aug 22 16:50:00 2022 GMT
> > 
> > Wild guess: the Certificate is no longer valid?

I really do not have any advice but I've played a bit with x509
certificate signing. And from my point of view some validation isn't
done in the correct or I do not understand the variables:

  CERTIFICATE_ANCHOR_PKGS and CERTIFICATE_CHAIN

I've the following certificate chain:

  root_ca -> signing_ica -> pkgsrc_signing_certificate

For me I've configured mk.conf with:

  SIGN_PACKAGES=     x509
  X509_KEY=          /path/pkgsrc_signing_certificate.key
  X509_CERTIFICATE=  /path/pkgsrc_signing_certificate.crt

Based on my understanding and documentation I would assume the parts
in pkg_install.conf should look like the following:

  CERTIFICATE_ANCHOR_PKGS=/path/pkgsrc_signing_certificate.crt
  CERTIFICATE_CHAIN=/path/root_ca_AND_signing_ica.crt

But as for you the verification is not working as expected.

The following configuration is working for me, but from my point of
view it might be wrong:

  CERTIFICATE_ANCHOR_PKGS=/path/root_ca_AND_signing_ica.crt

From my understanding I would assume I can add root_ca and signing_ica
to CERTIFICATE_CHAIN and set CERTIFICATE_ANCHOR_PKGS to the
pkgsrc_signing_certificate.crt if I like.

The verification is done via OpenSSL with the following line:

  PKCS7_verify(p7, cert_chain, store, in, NULL, 0)

  cert_chain => CERTIFICATE_CHAIN
  store      => Certificate store with CERTIFICATE_ANCHOR_PKGS

Based on the documentation the verification is done with cert_chain
and than with store:
  https://www.openssl.org/docs/man1.0.2/man3/PKCS7_verify.html

Shouldn't be CERTIFICATE_ANCHOR_PKGS the first parameter and the chain
part of the certificate store?

But maybe this is anyway what you're looking for :-)

All the best,
Thomas

References:
- Signed binary pkgs setup
  - From: Martin Husemann
- Re: Signed binary pkgs setup
  - From: Hubert Feyrer
- Re: Signed binary pkgs setup
  - From: Martin Husemann

Prev by Date: Re: cmake radical proposal
Next by Date: Re: cmake radical proposal
Previous by Thread: Re: Signed binary pkgs setup
Next by Thread: Re: Signed binary pkgs setup
Indexes:

Home | Main Index | Thread Index | Old Index