On 27/12/2012 21:01, Garrett Wollman wrote: >> I'm creating my own repository and have created a key for it. > [...] >> >What does pkg expect to be in this file?
> A public key. It does not use X.509 (nor is there any reason why it > should, although I suppose it could be made to at the cost of > significant added complexity and a bootstrapping problem). pkgng has a quite minimal signing setup -- it uses naked RSA public/private keys without committing to either of the two popular models for providing assurance on the validity of public keys (viz: PGP web of trust or X509 style certificate chains to some trusted root certificate). It's not clear at the moment if one or other or neither of those styles would be preferred in the future. Or it may well be the case that RFC6698 (DANE -- DNS-Based Authentication of Named Entities) via DNSSEC signed zone data[*] is preferred over either of the two means frequently used at the moment. Remember that there's really only one cryptographic signature needed for each architecture/OS version specific repository catalogue. So not a huge maintenance burden keeping the DNS up to date and signed even if a new repository catalogue is published each day. Cheers, Matthew [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have to remain no more than a pipe-dream for the time being. -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey
signature.asc
Description: OpenPGP digital signature