pkg signing/validation issue.

jgc234 commented 5 years ago

I've got a problem with package signing (or validation more to the point), but I'm unsure if I've got it right yet..

Using:

pkgbuild image d11a6444-c732-11e8-ad33-af7cfa11c61b
instructions from https://github.com/joyent/pkgsrc-legacy/wiki/pkgdev:signing
using run-sandbox 2018Q3-x86_64 for an env.
unsure where the gpg2 comes from in the sandbox, so I've done a "pkg_add gnupg2" in the sandbox itself - is that the correct procedure? it wasn't clean in the above instructions. (gnupg2-2.2.10)
build and signs a package fine, using key from agent.
key also imported to pkgsrc.gpg and can be seen with --list-keys.

--root@pkgsrc-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>-- -> file /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz: current ar archive, not a dynamic executable or shared object

but, attempting to do a pkg_add results in:

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> pkg_add /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
recog_userid: not 13
recog_primary_key: not userid
short pubring recognition???
Ignoring unusual/reserved signature subpacket 33
pkg_add: unable to verify signature: Signature key id 51c870862222c685 not found 
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--

Interestingly, that key id above is from the middle part of my key, not the end.. I tried both short and long versions of the key - no difference.. using the middle part of the key doesn't actually match it. Is there a problem with the key lengths and/or compatibility and the code embedded in pkg_add vs gnupg2? or have I just stuffed up somewhere?

..............51c870862222c685..........
8860B35B7701C351C870862222C68512FBA0CD5B

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> more /opt/local/etc/pkg_install.conf 
GPG=/opt/local/bin/gpg2
#GPG_SIGN_AS=8860B35B7701C351C870862222C68512FBA0CD5B
GPG_SIGN_AS=FBA0CD5B
GPG_KEYRING_VERIFY=/opt/local/etc/gnupg/pkgsrc.gpg
PKG_PATH=/data/packages/SmartOS/2018Q3/x86_64/All;http://0.0.0.0:8080/packages/SmartOS/2018Q3/x86_64/All

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> gpg --no-default-keyring --keyring=/opt/local/etc/gnupg/pkgsrc.gpg  --list-keys
gpg: NOTE: trustdb not writable
/opt/local/etc/gnupg/pkgsrc.gpg
-------------------------------
pub   4096R/FAA66EE0 2015-02-03
uid                  Joyent Package Signing <pkgsrc@joyent.com>
sub   4096R/1B1CF4CC 2015-02-03
sub   4096R/DE817B8E 2015-02-03

pub   4096R/FBA0CD5B 2018-12-06
uid                  xxxxxx pkgsrc key <xxxx@xxxxxxxxx>
sub   4096R/3F0325C9 2018-12-06

Any help would be much appreciated..

jgc234 commented 5 years ago

ah, my mistake.. I refreshed the image pkgbuild dir with a git pull, and there's now an older version of gnupg (2.0.30 from gnupg20) pre-installed the tools space in the sandbox. all is good.

jgc234 commented 4 years ago

A year later, I think I've finally worked out all the constraints that stop my signed packages working - from https://github.com/joyent/pkgsrc-legacy/wiki/pkgdev:signing

The version of GPG in the pkgbuild zone itself must be gnupg20
The version of GPG in the pkgbuild sandbox must be gnupg20. This should be automatic.
The version fo GPG that is importing the key into the pkgsrc.gpg keyring for the eventual target host doing the pkg_add must also be gnupg20.

The rest of pkgdev:signing works as is.

TritonDataCenter / pkgsrc-legacy

pkg signing/validation issue. #567