Date: Tue, 14 Jan 2014 13:58:31 +0100 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Yuri <yuri@rawbw.com> Cc: freebsd-pkg@freebsd.org Subject: Re: Does pkg check signatures? Message-ID: <20140114125830.GB77567@ithaqua.etoilebsd.net> In-Reply-To: <52D530CE.4090908@rawbw.com> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--f2QGlHpHGjS2mn6Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 04:42:54AM -0800, Yuri wrote: > On 01/14/2014 04:10, Matthew Seaman wrote: > > pkg is fully capable of checking cryptographic signatures if configured > > to do so. Specifically you need 'signature-type' and 'fingerprints' > > defined in your repo.conf > > > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=3Dlog > > > > and the public key in /usr/share/keys/pkg available here: > > > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.= org.2013102301?view=3Dlog >=20 > I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf= =20 > is like this: > ---begin--- > FreeBSD: { > url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", > mirror_type: "srv", > signature_type: "fingerprints", > fingerprints: "/usr/share/keys/pkg", > enabled: yes > } > ---end--- >=20 > and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like= =20 > this: > ---begin--- > # $FreeBSD$ >=20 > function: "sha256" > fingerprint:=20 > "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" > ---end--- >=20 > 'pkg install' reads the first file, doesn't read the second file, and=20 > succeeds downloading and installing a package. Something is wrong. > Which file is this fingerprint for? Every downloaded file should have=20 > individual signature downloaded with it. >=20 What is signed is the catalog which contains the hash of all the available packages. So the signature is only checked during pkg update in case the database is = being updated not during package installation because it the not needed, the fetc= hed packages are tested agains their hash. regards, Bapt --f2QGlHpHGjS2mn6Y Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVNHYACgkQ8kTtMUmk6EzkQwCglMwuYVGSPJ8od8w+cupqL6oa 5PAAnAwASMVqudX7wPfmjdu6ejE9XIG0 =Rwf5 -----END PGP SIGNATURE----- --f2QGlHpHGjS2mn6Y--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140114125830.GB77567>