Thx to letsencrypt, i switched my server to full-https, and while here
setupped a signify key for the packages i build. That still means that
you need to trust me (and who am i to be trusted?), the root CA that
trusts letsencrypt, and upstream mozilla, but that was a nice
experiment, and somewhat requested. That doesnt mean i endorse all the
fluff and wanking around privacy/trust/whatnot...

Note the difference, since the server now uses HSTS, if you still use a
PKG_PATH pointing to http:// pkg_add might spew warnings when scanning
the repo:

Error from http://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz
Redirected to https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz
Requesting https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz

The git/cgit repo is now accessible over https if you want to build
packages yourself:

git clone -b release https://git.rhaalovely.net/git/mozilla-firefox

The key & packages are on the same server:
$doas ftp -o /etc/signify/landry-mozilla-pkg.pub 
$PKG_PATH=https://rhaalovely.net/stuff/i386/ doas pkg_add firefox
$PKG_PATH=https://rhaalovely.net/stuff/amd64/ doas pkg_add firefox

And you can check that the package/PLIST is effectively signed by this

$pkg_info -f /var/db/pkg/firefox-43.0rc1 |grep sign
@signer landry-mozilla-pkg



Reply via email to