On Fri, Jan 17, 2014 at 12:39:49PM -0500, sven falempin wrote:
> i read the manuals , and well , i am still unsure,
>
> if i put SIGNER=bob in the package configuration
>
> then it will be signed with
>
> /etc/signify/bob.sec
>
> having to read 4 different manual page to get this is strange :p
No, that part got simpler.
Keys are currently under /etc/signify
They *must* be there for the public keys.
Keys for signed packages should match *pkg.sec / *pkg.pub
(distinguished by function: firmware keys end in fw.sec / fw.pub)
Read signify(1) to generate the keys.
Say:
signify -G -n -s sven-pkg.sec -p sven-pkg.pub
For signing while building, just set
SIGNING_PARAMETERS = -s signify -s /etc/signify/sven-pkg.sec
for signing after building, do something like:
cd /usr/ports/packages/${ARCH}
mkdir signed
pkg_create -j4 -v -s signify -s /etc/signify/sven-pkg.sec -o signed -S all
That's all there is to it. If both the pubkey and privkey are present, the
first signed package written out will be checked (signify keys don't
carry any identity, they just have a fingerprint, so key mismatches are
easy to create if you're not careful -> the signed package carries a
@signer sven-pkg annotation to select the correct key).
pkg_add will trust keys under /etc/signify that match *pkg.pub
If you really want to trust a specific key *only*,
pkg_add -DSIGNER=sven-pkg ...
If some booboo happened, pkg_add -Dnosig will not check sigs at all...
