On Sat, Dec 12, 2015 at 12:46:24PM +0100, Landry Breuil wrote:
> Hi,
> Thx to letsencrypt, i switched my server to full-https, and while here
> setupped a signify key for the packages i build. That still means that
> you need to trust me (and who am i to be trusted?), the root CA that
> trusts letsencrypt, and upstream mozilla, but that was a nice
> experiment, and somewhat requested. That doesnt mean i endorse all the
> fluff and wanking around privacy/trust/whatnot...
> Note the difference, since the server now uses HSTS, if you still use a
> PKG_PATH pointing to http:// pkg_add might spew warnings when scanning
> the repo:
> Error from http://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz
> Redirected to https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz
> Requesting https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz
> The git/cgit repo is now accessible over https if you want to build
> packages yourself:
> https://cgit.rhaalovely.net/mozilla-firefox/?h=release
> git clone -b release https://git.rhaalovely.net/git/mozilla-firefox
> The key & packages are on the same server:
> $doas ftp -o /etc/signify/landry-mozilla-pkg.pub 
> https://rhaalovely.net/stuff/landry-mozilla-pkg.pub
> $PKG_PATH=https://rhaalovely.net/stuff/i386/ doas pkg_add firefox
> (or)
> $PKG_PATH=https://rhaalovely.net/stuff/amd64/ doas pkg_add firefox
> And you can check that the package/PLIST is effectively signed by this
> key:
> $pkg_info -f /var/db/pkg/firefox-43.0rc1 |grep sign
> @signer landry-mozilla-pkg
> @digital-signature 
> signify:2015-12-12T11:16:08Z:RWRh/RSo0GgoYkXCBR/rv1w+zIm3snIJ8vxil57GUaLunfMCjtwhrYtcW/HPH4x43KxrFn+vYYuekCwbc7jD1ZSEiI71HuMe2Ag=
> Landry

To go full circle, could you sign your server's SSL certificate
(or the fingerprint thereof) with your signify key? :)

Reply via email to