Closed jdwhite closed 1 year ago
Just a comment on this part to begin with:
At this point, GPG_KEYRING_VERIFY=/opt/pkg/etc/gnupg/pkgsrc.gpg and VERIFIED_INSTALLATION=always are set in pkg_install.conf. However, /opt/pkg/etc/gnupg/pkgsrc.gpg does not exist (yet).
This isn't correct, the bootstrap should include that file, which contains the public signing key for the packages:
$ tar ztvf bootstrap-macos14-trunk-x86_64-20200716.tar.gz | grep gpg
-rw-r--r-- 0 root wheel 3835 Jul 16 11:55 ./opt/pkg/etc/gnupg/pkgsrc.gpg
Without that file, yes you'd hit problems as there wouldn't be a way to validate the signatures. However I think you might mean /opt/pkg/etc/pkgsrc.gpg
that you refer to later?
Even though VERIFIED_INSTALLATION=always I am not prompted to approve installation of gnupg2 nor any of its dependencies. Is this because /opt/pkg/etc/gnupg/pkgsrc.gpg doesn't exist?
Package verification doesn't rely on GnuPG, it uses the netpgpverify library built into the pkg_install tools.
root@jdwhites-Mac etc # cat pkg_install.conf
GPG_KEYRING_PKGVULN=/opt/pkg/share/gnupg/pkgsrc-security.gpg
GPG_KEYRING_VERIFY=/opt/pkg/etc/pkgsrc.gpg`
There should be no need to do this, and there can be incompatibilities between the keys that GnuPG exports and what netpgpverify supports. If you really want to use GPG for verification (which you can, I just don't think there is any benefit in doing so, I spent a while implementing netpgpverify support so that external commands were not necessary) then you'll probably need to also update pkg_install.conf
to include GPG=/path/to/gpg2
.
I think it'd help to understand what you're trying accomplish. Everything is set up out of the box to automatically validate packages, as you can see from your initial pkgin in gnupg2
it worked fine (the packages wouldn't install if the verification failed). If you just want to verify the bootstrap tarball then the instructions should provide the commands required for that, and you don't need to change pkg_install.conf
. If you want to build your own packages and sign them then that's a little more involved and is described here: https://github.com/joyent/pkgsrc/wiki/pkgdev:signing
Let me know if anything needs further explanation.
Just a comment on this part to begin with:
At this point, GPG_KEYRING_VERIFY=/opt/pkg/etc/gnupg/pkgsrc.gpg and VERIFIED_INSTALLATION=always are set in pkg_install.conf. However, /opt/pkg/etc/gnupg/pkgsrc.gpg does not exist (yet).
This isn't correct, the bootstrap should include that file, which contains the public signing key for the packages:
You're correct; my bad. That does explain everything I asked about relating to verification of the installation of gnupg2.
root@jdwhites-Mac etc # cat pkg_install.conf
GPG_KEYRING_PKGVULN=/opt/pkg/share/gnupg/pkgsrc-security.gpg
GPG_KEYRING_VERIFY=/opt/pkg/etc/pkgsrc.gpg`
There should be no need to do this, and there can be incompatibilities between the keys that GnuPG exports and what netpgpverify supports. If you really want to use GPG for verification (which you can, I just don't think there is any benefit in doing so, I spent a while implementing netpgpverify support so that external commands were not necessary) then you'll probably need to also update
pkg_install.conf
to includeGPG=/path/to/gpg2
.
Indeed, and even just creating a new keyring and importing your key causes verification issues, so I don't see how gpg2 works here at all. I'd seen various examples about setting GPG to /path/to/gpg2 so I thought that GnuPG was supported for signing/verification. I have no particular preference between gpg2/netpgp.
I think it'd help to understand what you're trying accomplish. Everything is set up out of the box to automatically validate packages, as you can see from your initial
pkgin in gnupg2
it worked fine (the packages wouldn't install if the verification failed). If you just want to verify the bootstrap tarball then the instructions should provide the commands required for that, and you don't need to changepkg_install.conf
. If you want to build your own packages and sign them then that's a little more involved and is described here: https://github.com/joyent/pkgsrc/wiki/pkgdev:signing
Ultimately, yes, building and signing my own packages is what started me down this road. I've known about your repo for a while but wanted to learn how to do this myself, plus set up my own binary repo (which is another story).
In reading the pkgdev:signing page it mentions using different gnupg2 packages depending on which pkgsrc version you're using. On my package build machine I'm using gnupg2 from pkgsrc-current. Sounds like that may be creating compatibility issues when I export my public signing key -- unsure here.
I was using gpg2 to create my signing key, but is the proper procedure to then export the public key with gpg2
or something else? netpgp
says that you can export keys but I see no option to do that. I'm guessing it was either exporting with gpg2
or possibly importing with gpg2
to the pkgsrc.gpg keyring on the client machines that was mangling the public signing key. Would appreciate some clarity here.
Thank you.
root@jdwhites-Mac etc # file pkgsrc.gpg gnupg/pkgsrc.gpg
pkgsrc.gpg: GPG keybox database version 1, created-at Mon Nov 23 20:35:13 2020, last-maintained Mon Nov 23 20:35:13 2020
gnupg/pkgsrc.gpg: PGP/GPG key public ring (v4) created Tue Feb 3 07:11:36 2015 RSA (Encrypt or Sign) 4096 bits MPI=0xf807edd637e2537d...
Guessing netpgp/netpgpverify doesn't support key box database formats, perhaps.
gpg2 manpage talking about pubing.gpg
files:
"If this file is not available, gpg defaults to the new keybox format and creates a file pubring.kbx unless that file already exists in which case that file will also be used for OpenPGP keys.
Note that in the case that both files, pubring.gpg and pubring.kbx exists but the latter has no OpenPGP keys, the legacy file pubring.gpg will be used. Take care: GnuPG versions before 2.1 will always use the file pubring.gpg because they do not know about the new keybox format. In the case that you have to use GnuPG 1.4 to decrypt archived data you should keep this file."
Sounds like either use <2.1 GnuPG, find a way to make >=2.1 GnuPG write older keyring format, use netpgp, or gpg 1.x.
I think this explains why I saw examples of others using gpg2 in there pkg_install.conf
files.
I was using gpg2 to create my signing key, but is the proper procedure to then export the public key with gpg2 or something else? netpgp says that you can export keys but I see no option to do that. I'm guessing it was either exporting with gpg2 or possibly importing with gpg2 to the pkgsrc.gpg keyring on the client machines that was mangling the public signing key. Would appreciate some clarity here.
Found netpgpkeys
. Unfortunately, both netpgp
and netpgpkeys
yield a segfault for me for every action. I just built these from pkgsrc-current on Catalina. Same results using packages from the Joyent repo.
I finally had success with signing and verifying packages using gpg v1.x in that I could successfully do a pkg_admin gpg-sign-package ...
followed by a pkg_info -X ...
. After that success, if I replace GPG=
with gpg2
(changing nothing else) then it doesn't find the secret key. Apparently gpg2 doesn't grok the 8-character version of the key id. Trying the longer version from gpg2 --list-keys
doesn't work for signing ether -- can't find the key. I don't care about making it work with gpg2, was just curious since it's my impression is that gpg2 is supposed to work for gpg2 <2.1. Plus, I have a feeling that even if I could sign with gpg2 it would fail to verify due to netpgp stuff.
Yeh, this is why I specifically have our https://github.com/joyent/pkgsrc-joyent/tree/master/gnupg20 package which retains the 2.0.x branch. I needed it because they broke gpg-agent compatibility in 2.2.x but it also seems like they broke compatibility in other areas too.
You should be able to install the gnupg20
package to get it, and then I think things should work correctly.
Fresh macOS Catalina install, following bootstrap instructions from https://pkgsrc.joyent.com/install-on-osx/.
Short version: after bootstrapping, installing gpg2 from the Joyent binary package repo, and importing the public signing key into a keychain pointed to by
GPG_KEYRING_VERIFY
inpkg_install.conf
I am unable to validate as the Signature id in the signed package cannot be found:pkg_add: unable to verify signature: Signature key id 6d94c02e1f32a9ad not found
I've spend the last couple of days trying to validate packages signed with with my own key get the same results (different Signature key id of course). After much fiddling I finally decided that I must be doing something wrong and decided to start fresh with the Joyent bootstrap as a sanity check -- except it also fails for me.
Long version: here are the terminal logs from my install to show precisely what was done.