search

freebsd / pkg

Package management tool for FreeBSD. Help at #pkg on Libera Chat or pkg@FreeBSD.org
Other
748 stars 279 forks source link

bootstrap from private repo fails #1975

Open dlangille opened 3 years ago

dlangille commented 3 years ago

This occurred on a FreeBSD 12.2 host.

root@freshports:/ # cat /usr/local/etc/pkg/repos/local.conf 
local: {
   url: "pkg+http://fedex.unixathome.org/packages/122amd64-default-master-list/"
   mirror_type: "srv",
   signature_type: "PUBKEY",
   pubkey: "/etc/ssl/slocum.unixathome.org.cert",   
   enabled: true
}

root@freshports:/ # pkg-static bootstrap -f
pkg(8) is already installed. Forcing reinstallation through pkg(7).
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://fedex.unixathome.org/packages/122amd64-default-master-list/, please wait...
pkg: error:04091068:rsa routines:int_rsa_verify:bad signature
Verifying signature with public key /etc/ssl/slocum.unixathome.org.cert... failed
Signature is not valid

To get this working, I had to bootstrap from FreeBSD repos. I'm not sure if my bootstrap data is improperly signed or not.

I have confirmed the cert at /etc/ssl/slocum.unixathome.org.cert matches what's on other hosts.

This works, and to me, confirms the cert is valid, at least for other packages in this repo.

root@freshports:/var/cache/pkg # pkg install -f pkg
Updating local repository catalogue...
local repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
    pkg-1.17.1

Number of packages to be reinstalled: 1

7 MiB to be downloaded.

Proceed with this action? [y/N]: y
[freshports] [1/1] Fetching pkg-1.17.1.pkg: 100%    7 MiB   7.6MB/s    00:01    
Checking integrity... done (0 conflicting)
[freshports] [1/1] Reinstalling pkg-1.17.1...
[freshports] [1/1] Extracting pkg-1.17.1: 100%
dlangille commented 3 years ago

Today I duplicated the situation on a new jail. The following is right after entering the jail for the first time. No pkg commands have been run until this.

root@freshports:/ # pkg install pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://fedex.unixathome.org/packages/122amd64-default-master-list/, please wait...
pkg: error:04091068:rsa routines:int_rsa_verify:bad signature
Verifying signature with public key /etc/ssl/slocum.unixathome.org.cert... failed
Signature is not valid
root@freshports:/ # pkg bootstrap -f 
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://fedex.unixathome.org/packages/122amd64-default-master-list/, please wait...
pkg: error:04091068:rsa routines:int_rsa_verify:bad signature
Verifying signature with public key /etc/ssl/slocum.unixathome.org.cert... failed
Signature is not valid
root@freshports:/ # pkg-static bootstrap -f
dlangille commented 3 years ago

It is possible to bootstrap from a private repo?

edit: I am sure it is, as the process I'm using is not new. It worked at one time.

dlangille commented 3 years ago

Current theory: pkg-static supplied with base is unable to validate any none-FreeBSD repo. That's OK. just got to know that.

ohauer commented 2 years ago

I'm using pkg since long time with private repo (PD builds) and never had an issue to bootstrap pkg itself on systems without internet access (using command pkg update)

The only difference Im having the fingerprint configured 

mysite: {
  enabled         : yes,
  url             : "pkg+http://pkg.my.site/FreeBSD/pkg/${ABI}/latest",
  mirror_type     : "srv",
  signature_type  : "pubkey",
  pubkey          : "/usr/local/etc/pkg/repos/pkg.my.site.pub"
  fingerprints    : "/usr/local/etc/pkg/keys"
}
cat /usr/local/etc/pkg/keys/trusted/pkg.my.site
# 2015-09-13 pkg.my.site repo fingerprint
function: sha256
fingerprint: d02....2e
ohauer commented 2 years ago

To get some infos for my PR https://github.com/freebsd/pkg/issues/2053 I removed everything with pkg delete -af

#> pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.my.site/FreeBSD/pkg/FreeBSD:12:amd64/latest, please wait...
Verifying signature with public key /usr/local/etc/pkg/repos/pkg.my.site.pub... done  <-- this is failing in your case
Installing pkg-1.18.3...
Extracting pkg-1.18.3: 100%
Updating str repository catalogue...
mysite repository is up to date.
All repositories are up to date.