On Mon, Feb 08, 2016 at 03:05:00PM -0800, patrick keshishian wrote: > On Mon, Feb 08, 2016 at 07:28:24PM +0100, Marc Espie wrote: > > On Sun, Feb 07, 2016 at 09:42:32AM -0600, joshua stein wrote: > > > We don't recommend FTP mirrors anymore, installing a package via a > > > pipe doesn't seem to work anymore, and packages have to be signed to > > > be installed so the advice about miscreants is not very relevant. > > > > > > > > installing packages thru pipes should still work. > > surprised it got broken. > > > > you can still install non-signed packages if you really try. > > I haven't build ports in a while, but does this comment mean > that if I'm building my own ports (moving forward), the > resulting packages must be signed?
Nope, just be careful not mixing your packages with other stuff, and how you move them around. Signing with your personal key is not hard. Specifically, - you can use -Dunsigned to install your own unsigned packages - beware of mixing up your unsigned packages AND official packages for dependencies (e.g., the later should be signed). Note that even with -Dunsigned, packages with a signature will *still* have their signature checked for tampering. - be careful of taking care of your unsigned packages properly. Getting them around insecure networks obviously allows tampering. You can use scp:// urls to prevent that. Automatically Signing is reasonably easy. You need to generate a couple of public/private key using signify, have them be of the form XXX-pkg.sec and XXX-pkg.pub, put at least the pubkey under /etc, then set SIGNING_PARAMETERS properly in /etc/mk.conf, e.g., SIGNING_PARAMETERS=-s signify -s /etc/XXX-pkg.sec (there's no pki. the bootstrap part means getting the pub key under the correct directory manually) Admittedly, it's safe if you trust your ports building system, and you have to take extra care (as usual) to not let /etc/XXX-pkg.sec out of your sight... You can also build packages normally and sign later off-site using pkg_sign. More cumbersome, but somewhat safer... In my opinion, there's nothing in there that's not glaringly obvious if you have a background in the use of public key cryptography. We went out of our way to make the design of the package signing system fairly intuitive and the possible security trade-offs highly visible (as far as public key cryptography can be, of course).
