Trying to compile a package with pkgsrc fails always

[jcea]

Following instructions in https://pkgsrc.joyent.com/docs/building/ . Checking out pkgsrc release "joyent/release/2016Q3".

Trying to compile from source any package will fail always with the same error:

# cd pkgsrc/lang/python35
=> Bootstrap dependency digest>=20010302: NOT found
=> Verifying reinstall for ../../pkgtools/digest
===> Skipping vulnerability checks.
WARNING: No /opt/local/pkg/pkg-vulnerabilities file found.
WARNING: To fix run: `/opt/local/sbin/pkg_admin -K /opt/local/pkg fetch-pkg-vulnerabilities'.
===> Installing for digest-20160304
/usr/bin/bash ./mkinstalldirs /home/pkgsrc/pkgsrc/pkgtools/digest/work/.destdir/opt/local/bin
/opt/local/bin/bsdinstall -c -s -o root -g root -m 755 digest /home/pkgsrc/pkgsrc/pkgtools/digest/work/.destdir/opt/local/bin/digest
/usr/bin/bash ./mkinstalldirs /home/pkgsrc/pkgsrc/pkgtools/digest/work/.destdir/opt/local/man/man1
/opt/local/bin/bsdinstall -c -o root -g root -m 644 digest.1 /home/pkgsrc/pkgsrc/pkgtools/digest/work/.destdir/opt/local/man/man1/digest.1
=> Automatic manual page handling
=> Creating binary package /home/pkgsrc/pkgsrc/pkgtools/digest/work/.packages/digest-20160304.tgz
===> Building binary package for digest-20160304
=> Creating binary package /home/pkgsrc/pkgsrc/packages/All/digest-20160304.tgz
===> Installing binary package of digest-20160304
pkg_add: No valid signature found, rejected
pkg_add: 1 package addition failed
*** Error code 1

Stop.
bmake[3]: stopped in /home/pkgsrc/pkgsrc/pkgtools/digest
*** Error code 1

Stop.
bmake[2]: stopped in /home/pkgsrc/pkgsrc/pkgtools/digest
*** Error code 1

Stop.
bmake[1]: stopped in /home/pkgsrc/pkgsrc/pkgtools/digest
*** Error code 1

Stop.
bmake: stopped in /home/pkgsrc/pkgsrc/lang/python35

Every package that I try fails with the same error.

[wiedi]

You'll have to comment out the line VERIFIED_INSTALLATION=always in /opt/local/etc/pkg_install.conf or setup package signing.

This should probably be noted in the documentation you linked.

[jcea]

Can I disable that verification only for local "pkgsrc" packages builds?. I don't want to disable it for packages installed with "pkgin".

[jcea]

Details about how to locally sign packages welcomed :). Currently "pkgsrc" source package builds are not usable :-(

[jperkin]

There's no way to differentiate whether a package was built locally or by someone else, so for now you'll need to either disable VERIFIED_INSTALLATION or use pkg_add -C /dev/null. I want to find a decent way to work around this issue but it's not trivial unfortunately.

[jperkin]

Also note that it's much quicker to get up to speed by using the pkgbuild image, this is a pre-populated image with the tools we use to build official packages, rather than having to do everything by hand. See https://github.com/joyent/pkgbuild/ for more information.

[jcea]

I think this is specially important because even commenting out "VERIFIED_INSTALLATION=always" ONLY for the duration of the build step will leaves us vulnerable to hijacked dependencies automatically brought to fulfill the compilation step.

[jperkin]

You can run bmake depends to pull them in first if this is a concern.

[jcea]

Good idea about the pkgbuild image. I will try out.

Thanks for the "bmake depends" hint too. Is there any way to learn about the available "bmake" targets?.

[jperkin]

The list of primary targets is documented at the top of https://github.com/joyent/pkgsrc/blob/trunk/mk/bsd.pkg.mk and you can use the help target to provide more information on them, e.g.:

$ bmake help topic=depends
===> mk/depends/bsd.depends.mk (keywords: depends dependencies SKIP_DEPENDS):
# This Makefile fragment is included by bsd.pkg.mk and provides all
# variables and targets related to dependencies.
#
# The following are the "public" targets provided by this module:
#
#    depends, bootstrap-depends, install-depends
#
# The following variables may be set by the pkgsrc user:
#
# SKIP_DEPENDS
#   Whether to run the ``depends'' phase.  This is probably only
#   useful for pkgsrc developers.
#
#   Default value: no
#

Otherwise if you want more internal details then have a read through the various files under https://github.com/joyent/pkgsrc/blob/trunk/mk