Re: Signed binary pkgs setup

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: Signed binary pkgs setup
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sat, 16 Oct 2021 17:50:49 +0200

On Sat, Oct 16, 2021 at 10:56:39AM -0400, Greg Troxel wrote:
> OpenPGP has the same chain concept, with knobs to configure.   But, I
> don't see why one can't:
> 
>   create a TNF-controlled (you with someone as backup) PGP key intended
>   to be used over a long time (at least 5 years), and kept offline, as
>   the TNF release signing CA key
> 
>   put the public part of this key into the distribution, and publish it
> 
>   Keep a file of public keys authorized to sign packages and put it on
>   cdn.netbsd.org.  Update it as needed, and get a signature from the CA key
> 
>   Write a script to download the signed keyfile, validate the signature,
>   and put it in a keyring to be used for validating packages

Yes, that may work. This whole thing started with Thomas (wiz) and me
discussiong "what would need to be done on TNF releng side and what in
pkgsrc to allow signed binary pkgs right after a new NetBSD install".

Everyone always says "its all there, you just need to use it" - but that seems
to be only partly true. All actively used instance of binary pkgs start with
a bootstrap kit, and that can easily provide all the needed keys (as well
as all the required configuration).

I have been assured the x509 setup used to work, and that likely some changes
in OpenSSL broke it sometime (as noone is actively using it).

I am happy with any off-the-shelf solution that allows pkg_in or pkg_add
with a repo of signed binary pkgs right at the end of sysinst doing an
installation - with the additional requirement that on the NetBSD side
we don't have to update the trust anchor key(s) or have the (NetBSD-)release
come with a complete list of pkgbuilder (i.e. machines) keys.

Of course, given the very sparse documentation available, it could all be my
fault - some stupid mixup of keys in my test setup or whatever.

Seeing that Thomas Merkel ended in very similar trouble makes me think it
is a bug in the documentation or really something bitrotted/got broken in
newer openssl versions (I mean the pkg_install code not doing whatever is
now needed for current openssl). Anyone would like to help debug + improve
the documentation?

Martin

References:
- Signed binary pkgs setup
  - From: Martin Husemann
- Re: Signed binary pkgs setup
  - From: Hubert Feyrer
- Re: Signed binary pkgs setup
  - From: Martin Husemann
- Re: Signed binary pkgs setup
  - From: Greg Troxel

Prev by Date: Re: cmake radical proposal
Next by Date: Re: cmake radical proposal
Previous by Thread: Re: Signed binary pkgs setup
Next by Thread: Introducing a BUILD_ENV?
Indexes:

Home | Main Index | Thread Index | Old Index