Closed igalic closed 2 months ago
@igalic did you figure out a workaround for this? I'm seeing it on a 14.0-ALPHA1 VM running 'pkg update' directed to my home lab pkgbase builder. A 13-STABLE VM doesn't show the problem for me either.
unfortunately, no. the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything
This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt
could you submit that as pull request? i can't even look at the patch (on my phone, the computer i use 90% of the time)
@ttyva your patch break backward compatibility hence why it hasn't been done like describe in the commit log
This is still a problem with 1.20.9. Poudriere uses the jail's pkg
for signing the repo. So for me 13.2 jail pkg signing and later a 14.0 host with pkg -j
fails to validate the signature. It needs to be forward compatible somehow.
This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt
I dropped this patch in my pkg port to always use the new signature (even on openssl111 jails) and now my jails are again working. (Also spawned the need for a Poudriere feature to force rebuild pkg without deleting all packages. I'll push that out at some point).
Ran into the same issue today: I distribute packages from my 13.2-based host, while building them on/for a 14.0 box. For security, packages are signed on the 13.2-based host, which now fails.
This has been open for quite some time now. Can we maybe get a fix committed?
the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything
Actually signing on 14 and installing on 13 works for me, but only after I update pkg
as the old one from 13 is not good enough.
On a TrueNAS of mine I have the following startup script in order to use my own packages (signed from 14):
rm /usr/local/etc/pkg/repos/FreeBSD.conf /usr/local/etc/pkg/repos/local.conf
cp my-repos/* /usr/local/etc/pkg/repos/
pkg install -yr FreeBSD pkg
pkg install -y node_exporter vmutils …
Doing the second pkg install
directly would fail as it cannot parse my repo's signature, but first forcing a pkg
update from repo FreeBSD
solves it for me.
we won t be able to provide a better upgrade path unfortunatly
my repository:
the key
This works fine on 13-STABLE and 13.2-RELEASE, so I suspect it's got something to do with OpenSSL 3.0