On Tue, 8 Sep 2015 15:38:02 +0200 Fabian Keil <freebsd-lis...@fabiankeil.de> wrote:
> Marko Cupać <marko.cu...@mimar.rs> wrote: > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > with signature_type="pubkey". > > > > Quick search returns: > > https://github.com/freebsd/pkg/issues/1309 > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > > > I guess it is not hard to switch repo to fingerprints, however I > > would not expect to lose this functionality by updating to > > patchlevel. > > The "functionality" pkg(7) "lost" is silently ignoring unsupported > signature types which is dangerous if the network can't be trusted: > https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc > https://www.fabiankeil.de/gehacktes/hardenedbsd/ > > If you absolutely want to, you can still bootstrap insecurely by > temporarily setting the signature type to none. I absolutely _don't_ want to bootstrap insecurely, and I am thankful to people more skilled in security than me for discovering and fixing vulnerabilities. I'd like to have the ability to bootstrap from my repo securely, which I thought I had. I am trying to switch to fingerprints, but I need a little help. On client, I have: - changed signature_type to "fingerprints" - pointed fingerprints to a directory - created two subdirs, 'revoked' and 'trusted' - inside trusted, created a file with 'function' and 'fingerprint' But when I try to bootstrap, I get the following message: pkg: Error fetching http://pkg.example.com/packages/102amd64-default/Latest/pkg.txz.sig: Not Found I am trying to follow example from pkg-repo(8) about creating and signing repo with external command, but it does not work for me. To be honest, I don't understand what exactly first command is supposed to do. I guess it should create file similar to pkg.txz.sig on FreeBSD pkg site, but it doesn't. Perhaps because I am using tcsh and not sh, but switching to sh dosn't help either: # On signing server: % cat > sign.sh << EOF #!/bin/sh read -t 2 sum [ -z "$sum" ] && exit 1 echo SIGNATURE echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -binary echo echo CERT cat repo.pub echo END EOF The one who helps me figure this out can count on a few dozens of beers when passing through Belgrade/Serbia. -- Marko Cupać https://www.mimar.rs/ _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"