Diff for /wikisrc/users/spz/pkgsig.mdwn between versions 1.2 and 1.3

version 1.2, 2017/09/26 08:06:19 version 1.3, 2017/10/03 03:08:22
Line 3 Line 3
 - gpg for now  - gpg for now
 - master packages-signing signing key, which signs keys that are good for one arch/os-version/quarterly  - master packages-signing signing key, which signs keys that are good for one arch/os-version/quarterly
 - agc wants the signing to be done under human control; change the rsync task to send mail to the pbulk admin. Wait until the bulk signing is done and use a lock file to indicate it's time to sync? Or just start the rsync manually in a script that also does the signing?  - agc wants the signing to be done under human control; change the rsync task to send mail to the pbulk admin. Wait until the bulk signing is done and use a lock file to indicate it's time to sync? Or just start the rsync manually in a script that also does the signing?
 - how does signing work? do we have tools to sign an entire harvest of packages in one go?  
   ### how does signing work? do we have tools to sign an entire harvest of packages in one go?
   signing is done using pkg_admin from the pkgtools/pkg_install package; pkg_admin gpg-sign-package <src> <dest>
   
   signed packages are ar archives:
     
       +PKG_HASH
       +PKG_GPG_SIGNATURE
       p5-DateTime-Format-W3CDTF-0.07nb1.tmp.tgz
   
   The tools want to sign each package as it is built. Joyent uses gpg-agent for that, so no bulk-signing toos yet, however signing packages later is not hard, so to batch sign,
   
       for i in $unsigned; do
         mv $i ${i%.tgz}.tmp.tgz
         pkg_admin gpg-sign-package ${i%.tgz}.tmp.tgz signedpkgs/$i
       done
   
   This still wants the passphrase for every single package, so flank with gpg-agent. Does gpg-agent have an issue with chroots? It wouldn't work in the build chroot but may simply have issues due to both gnupg and gnupg2 being installed.
   
   pkg_install from pkgsrc currently has some issues when encountering a signed package with pkg_add: you can't install it unless you have the means to verify it first, even if you expressly do not want to verify it. Base pkg_add complains but installs.
   

Removed from v.1.2  
changed lines
  Added in v.1.3


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb