Cert validation in pkgin

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

Apparently pkgin doesn't do cert validation for remote repositories.

The pkgin installation process may verify package signatures, but
there's a huge attack surface of parsing and ingesting pkg_summary.bz2
-- and of parsing the structure of the individual package archives --
long before the signatures on the package content can be verified.

We could authenticate pkg_summary.bz2 at the origin (and mitigate
various other things like selective package rollback), but that's a
lot more work and I don't have a concrete proposal to address it now.

Instead, I propose the attached patch to make pkgin require remote
repositories to have valid certs by default.  The implementation uses
the proposed new libfetch `V' flag.

This can be overridden with the new `pkgin -i' option to allow
insecure transports, like the proposed new INSECURE_TRANSPORT=1 option
in pkg_install.conf.

Thoughts?

From a862e19961cffddc442caf90b6dc26509553af7b Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Sat, 9 Dec 2023 03:30:45 +0000
Subject: [PATCH] Default to secure transports only; new `-i' option to allow
 insecure.

Requires libfetch>=2.40.
---
 README.md  |  5 ++++-
 main.c     | 11 +++++++++--
 pkgin.1.in |  6 ++++--
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3a4c405..dbcc016 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ pkgin(1) -- A tool to manage pkgsrc binary packages.
 
 ## SYNOPSIS
 
-`pkgin` [`-dfFhpPvVyn`] [`-l` _limit_chars_] [`-c` _chroot_path_] [`-t` _log_file_] _command_ [package ...]
+`pkgin` [`-dfFhipPvVyn`] [`-l` _limit_chars_] [`-c` _chroot_path_] [`-t` _log_file_] _command_ [package ...]
 
 ## DESCRIPTION
 
@@ -28,6 +28,9 @@ The following command line arguments are supported:
   * `-h`:
     Displays help for the command
 
+  * `-i`:
+    Allow insecure transports (HTTP, FTP), not just HTTPS
+
   * `-l` _limit_chars_:
     Only include the packages with the specified [STATUS FLAGS][]
 
diff --git a/main.c b/main.c
index a693bca..e0c2bba 100644
--- a/main.c
+++ b/main.c
@@ -39,8 +39,9 @@ static void	ginto(void);
 
 uint8_t		yesflag = 0, noflag = 0;
 uint8_t		verbosity = 0, package_version = 0, parsable = 0, pflag = 0;
+uint8_t		insecure_transport = 0;
 char		lslimit = '\0';
-char		fetchflags[4] = { 0, 0, 0, 0 };
+char		fetchflags[5] = { 0, 0, 0, 0, 0 };
 FILE  		*tracefp = NULL;
 
 int
@@ -59,7 +60,7 @@ main(int argc, char *argv[])
 	/* Default to not doing \r printouts if we don't send to a tty */
 	parsable = !isatty(fileno(stdout));
 
-	while ((ch = getopt(argc, argv, "46dhyfFPvVl:nc:t:p")) != -1) {
+	while ((ch = getopt(argc, argv, "46dhiyfFPvVl:nc:t:p")) != -1) {
 		switch (ch) {
 		case '4':
 			v4flag = 1;
@@ -67,6 +68,9 @@ main(int argc, char *argv[])
 		case '6':
 			v6flag = 1;
 			break;
+		case 'i':
+			insecure_transport = 1;
+			break;
 		case 'f':
 			force_update = 1;
 			break;
@@ -147,6 +151,9 @@ main(int argc, char *argv[])
 	if (verbosity) {
 		fetchflags[ffidx++] = 'v';
 	}
+	if (!insecure_transport) {
+		fetchflags[ffidx++] = 'V';
+	}
 
 	/* Configure pkg_install */
 	setup_pkg_install();
diff --git a/pkgin.1.in b/pkgin.1.in
index 1f38c79..5e6c453 100644
--- a/pkgin.1.in
+++ b/pkgin.1.in
@@ -1,4 +1,4 @@
-.Dd July 1, 2020
+.Dd December 8, 2023
 .Dt PKGIN 1
 .Os
 .Sh NAME
@@ -6,7 +6,7 @@
 .Nd pkgsrc binary package manager
 .Sh SYNOPSIS
 .Nm
-.Op Fl 46dfhnPpVvy
+.Op Fl 46dfhinPpVvy
 .Op Fl c Ar chroot_path
 .Op Fl l Ar limit_chars
 .Op Fl t Ar log_file
@@ -42,6 +42,8 @@ Download only
 Force database update
 .It Fl h
 Displays help for the command
+.It Fl i
+Allow insecure transports (HTTP, FTP), not just HTTPS
 .It Fl l Ar limit_chars
 Only include the packages with the specified
 .Dv STATUS FLAGS