On Wed, Sep 09, 2015 at 09:21:24AM -0400, Shawn Webb wrote: > On Wednesday, 09 September 2015 10:56:20 AM Baptiste Daroussin wrote: > > On Wed, Sep 09, 2015 at 09:14:12AM +0200, Marko Cupać wrote: > > > On Tue, 8 Sep 2015 23:28:59 +0200 > > > > > > Baptiste Daroussin <b...@freebsd.org> wrote: > > > > On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupać wrote: > > > > > Hi, > > > > > > > > > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > > > > > with signature_type="pubkey". > > > > > > > > > > Quick search returns: > > > > > https://github.com/freebsd/pkg/issues/1309 > > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > > > > > > > > > I guess it is not hard to switch repo to fingerprints, however I > > > > > would not expect to lose this functionality by updating to > > > > > patchlevel. > > > > > > > > Implemented in head: r287579 I will MFC it asap. And see if it cannot > > > > be added asap to a next patchlevel update. > > > > > > > > Best regards, > > > > Bapt > > > > > > Thanx! > > > > > > Just a few quick not-completely-related questions: poudriere has the > > > ability to sign repos with PKG_REPO_SIGNING_KEY, but not with external > > > command, right? Is there a plan to support it? Can I build packages in > > > poudriere without PKG_REPO_SIGNING_KEY, and sign repo later on with > > > external command? > > > > First yes I plan to add the ability to sign the package used to bootstrap > > via PKG_REPO_SIGNING_KEY asap in poudriere. > > > > Second you can keep your current configuration of poudriere, the signing > > with pubkey works perfectly well. All you need to do is either via a > > poudriere post bulk hook or manually go in the directory where your > > packages lives (in the Latest directory) and > > echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \ > > -binary -out ./pkg.txz.pubkeysig > > I can't find any documentation in neither Poudriere's manpage nor in > poudriere.conf.sample on how toadd a post bulk hook. > > Is the signing_command option to `pkg repo` really only used in generating > pkg.txz.sig? Is there any formal documentation about the cryptography design > and architecture in relation to pkg's repositories? > > Thanks,
This is the doc we have on hooks: https://github.com/freebsd/poudriere/wiki/hooks Would be nice to get more stuff in there :) Best regards, Bapt
pgpYRpTbmc4pz.pgp
Description: PGP signature
