pkg fails to validate rsa signature on 14.0-CURRENT

[igalic]

my repository:

# FreeBSD pkgbase repo

FreeBSD-base: {
  url: "https://alpha.pkgbase.live/current/${ABI}/latest",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/pkg/keys/alpha.pkgbase.live.pub",
  enabled: yes
}

the key

# pkg update -r FreeBSD-base
Updating FreeBSD-base repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.pkg: 100%   33 KiB  33.6kB/s    00:01    
pkg: -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzDfoZOk0NuqVWDJ2LzVW
z9onPADyoHiI0umk+udHZQDJHGvalD6YBbtCSBcSU0fKj7M8znS80QwpQYkWqxAz
KfWyJHgVKlTvVJKpBaandPEy92dXNqIcyUF/nqPRhgU0KOqDRw40guiweiFDwYK1
gr3HBzJR8S02xmkBIKy2UBckheZum0hUGS4bCtpH/fDi2eqpH+7oepGIz4kozZkO
j2SjQZAg2+hdfJtqyLJ5x8LIpga8HgCcdlK6qdZDh7lf2Q/dPC9JDITDlIQaM8EK
b/R1JoVc04jtN+lpV1PueFA0S91Xb4KHpI5VNjJMj/Dda7rvpC2SUDa7PQZyDRgS
Bs/eF35lO1elV3oJHPbG1BcmhozMZWSAv99D5fnbZlwqq16gmK6eJlb+WgMzuyop
yk8oH6TCea/WB3hrL0Kir2qHWgKYZO+wH3f+FrLYexOYai/JIafETMccA4YmFJHz
UpygnerRM5z1JszbQMGRO9W8Q/8HH7IU42trPPQF25I7TJSYeP7beV1KjwCFIzQ3
i3/YY4KTwbkqVyf4msgRqxCPhOKQ44+aFg1fOvd+v3TIZp/KjOXddV6EbkaF7iNz
3mILnR2zXjyp3BXFIRw4r5tSgjhaZuVWyAFXo6WzBY6ig+NbAMbQezGheATTdPhm
Z3/0G5JBPJbDWRVUmlxAQz8CAwEAAQ==
-----END PUBLIC KEY-----
: rsa signature verification failure
pkg: Invalid signature, removing repository.
Unable to update repository FreeBSD-base
Error updating repositories!

This works fine on 13-STABLE and 13.2-RELEASE, so I suspect it's got something to do with OpenSSL 3.0

[dfr]

@igalic did you figure out a workaround for this? I'm seeing it on a 14.0-ALPHA1 VM running 'pkg update' directed to my home lab pkgbase builder. A 13-STABLE VM doesn't show the problem for me either.

[igalic]

unfortunately, no. the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything

[ttyva]

This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt

[igalic]

could you submit that as pull request? i can't even look at the patch (on my phone, the computer i use 90% of the time)

[bapt]

@ttyva your patch break backward compatibility hence why it hasn't been done like describe in the commit log

[bdrewery]

This is still a problem with 1.20.9. Poudriere uses the jail's pkg for signing the repo. So for me 13.2 jail pkg signing and later a 14.0 host with pkg -j fails to validate the signature. It needs to be forward compatible somehow.

[bdrewery]

This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt

I dropped this patch in my pkg port to always use the new signature (even on openssl111 jails) and now my jails are again working. (Also spawned the need for a Poudriere feature to force rebuild pkg without deleting all packages. I'll push that out at some point).

[clausecker]

Ran into the same issue today: I distribute packages from my 13.2-based host, while building them on/for a 14.0 box. For security, packages are signed on the 13.2-based host, which now fails.

This has been open for quite some time now. Can we maybe get a fix committed?

[lapo-luchini]

the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything

Actually signing on 14 and installing on 13 works for me, but only after I update pkg as the old one from 13 is not good enough. On a TrueNAS of mine I have the following startup script in order to use my own packages (signed from 14):

rm /usr/local/etc/pkg/repos/FreeBSD.conf /usr/local/etc/pkg/repos/local.conf
cp my-repos/* /usr/local/etc/pkg/repos/
pkg install -yr FreeBSD pkg
pkg install -y node_exporter vmutils …

Doing the second pkg install directly would fail as it cannot parse my repo's signature, but first forcing a pkg update from repo FreeBSD solves it for me.

[bapt]

we won t be able to provide a better upgrade path unfortunatly