Greetings all,
Here's the webrev for the manifest signing changes:
http://cr.opensolaris.org/~bpytlik/ips-11611-v4/
I hope that this will be the last version as I believe all features are
present.
Here's what changed since version 2:
Fix for how manifests are loaded into the package plan so that when the
signature is checked, it always has the entire manifest available to it.
After the signatures are checked, then the actions are discarded based
on variant tags.
A small change so that manually approved CA certs are considered valid
even when they can't be validated.
Transport has been changed to merge with the other recent changes to
transport.
pkg.sig_alg, pkg.sig_version, pkg.sigval, etc... have been moved to the
common format pkg.sig.X.
The document on signed manifest has been updated with more examples and
details and a new section on publication has been added.
The manual management of publisher certificates has been changed from
add/remove to approve/revoke/unset. Where unset removes all manually
added client knowledge of the certificate, whether it had been
previously approved or revoked.
The method of updating of publishers with manually configured
certificates in client.py and api.py has been redone to allow for
certificates to be manually configured when a publisher is created.
Man pages have been updated and examples have been added for the new
functionality.
The packaging for pkg and pkg5 has been updated to reflect the new
dependencies.
----------------------------------------------------------------
For those internal, I've set up two repos, one for 144 and another for
145 which have signed manifests in them. For those external, you can
sign your own repo using pkgsign --sign-all with appropriate arguments
(you'll need to set up your own certificates to sign). Because the
current default behavior is to ignore signatures, the first step is to
enable signature validation:
pkg set-property signature-policy verify
Also, please configure the opensolaris.org publisher to require
signatures and point to the signed repo/depo:
pkg set-publisher --set-property signature-policy=require-signatures -O
<repo uri> opensolaris.org
At this point, trying to install or update any packages from the
opensolaris publisher should fail because the trust anchor hasn't been
configured yet.
Two options are possible now, one is to do the following commands:
gzcat
/net/mountaineer.sfbay/tank/repo-145/repo/file/49/49a498e39d8d32ae8fb0de81ac017581a0743cc3
> tmp.txt
pkg set-publisher --add-signing-ca-cert <full path to tmp.txt>
opensolaris.org
The other is to copy /net/mountaineer.sfbay/export/home/bpytlik/TAs into
a directory on your machine and then do
pkg set-property trust-anchor-directory <path to directory>
Obsolete packages may cause problems with your upgrade because the
obsolete package's manifest may already be on your system in an unsigned
form. If you encounter problems with a package being unsigned and it's
version is less than 145, please remove the manifest for that package
from /var/pkg/pkg, and try again. Because I was at 143 but had 144
manifests on my system, I saw this mostly with X packages. If you don't
have build 144 manifests on your system, it seems like it should go
smoothly.
A similar problem will happen if you already have version 14X manifests
on your system and you're upgrading to 14X.
144 Repo uris:
http://mountaineer.sfbay:20144
file:///net/mountaineer.sfbay/tank/repo-144/repo
145 Repo uris:
http://mountaineer.sfbay:20145
file:///net/mountaineer.sfbay/tank/repo-145/repo
Thanks for taking a look,
Brock
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
