On 28 Apr 2017, at 10:36, Jonathan Perkin wrote:
* On 2017-04-28 at 06:33 BST, Paul Sture wrote:
c) The pkgin installation instructions at
https://pkgsrc.joyent.com/install-on-illumos/#tools-install
contain a SHA checksum for each package, plus the optional gpg
method, but
only the gpg digests are held in the archives pointed to by that
page
https://pkgsrc.joyent.com/packages/SmartOS/bootstrap/
Hi Paul,
I'm not clear on what you mean here. Could you elaborate?
I'm thinking of the situation where you wish to install anything but the
latest
version of the packages.
An example should demonstrate:
The instructions for the current 64 bit SmortOS package download contain
this:
--------
#
# Copy and paste the lines below to install the 64-bit set.
#
BOOTSTRAP_TAR="bootstrap-2017Q1-x86_64.tar.gz"
BOOTSTRAP_SHA="133e4c7aac77e73fce6654db0055e514746be3d8"
# Download the bootstrap kit to the current directory.
curl -O
https://pkgsrc.joyent.com/packages/SmartOS/bootstrap/${BOOTSTRAP_TAR}
# Verify the SHA1 checksum.
[ "${BOOTSTRAP_SHA}" = "$(/bin/digest -a sha1 ${BOOTSTRAP_TAR})" ] ||
echo "ERROR: checksum failure"
-------
If someone wants to download and install an earlier version, let's say
bootstrap-2017Q4-x86_64.tar.gz, that can be found in the archive as
bootstrap-2016Q4-x86_64.tar.gz 05-Jan-2017 12:13
58921783
bootstrap-2016Q4-x86_64.tar.gz.asc 05-Jan-2017 12:13
819
But there isn't a corresponding value supplied for BOOTSTRAP_SHA for
that version, so we cannot simply paste the appropriate values into
a copy of current instructions.
This leaves us with using gpg as the only way to verify the download,
and
before the fix you mention below that was problematic.
d) related to c) I have had various problems with the gpg command
gpg --recv-keys 0xDE817B8E
which doesn't always work. I'll post an example when I have more
time
I recently updated the page to fetch the keys directly from our site
in this change:
https://github.com/joyent/pkgsrc.joyent.com/commit/43173f2ed298ac3950a532e2a74a8acb12dcbece
This ensures that the verification step works with the 'gpg' shipped
as part of the platform, notably in the GZ.
Running the new flavour of the curl command worked fine thanks.
# curl -sS https://pkgsrc.joyent.com/pgp/DE817B8E.asc | gpg --import
gpg: directory `/root/.gnupg' created
gpg: can't open `/usr/share/gnupg/options.skel': No such file or
directory
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FAA66EE0: public key "Joyent Package Signing
<[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Those sit in the root home directory, so next step is to save 'em across
reboots.
Many thanks for your help, Jonathan.
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
