Annotation of wikisrc/users/spz/pkgsig.mdwn, revision 1.3
1.2 wiki 1: ## pkgsig
2:
1.1 wiki 3: - gpg for now
4: - master packages-signing signing key, which signs keys that are good for one arch/os-version/quarterly
5: - agc wants the signing to be done under human control; change the rsync task to send mail to the pbulk admin. Wait until the bulk signing is done and use a lock file to indicate it's time to sync? Or just start the rsync manually in a script that also does the signing?
1.3 ! wiki 6:
! 7: ### how does signing work? do we have tools to sign an entire harvest of packages in one go?
! 8: signing is done using pkg_admin from the pkgtools/pkg_install package; pkg_admin gpg-sign-package <src> <dest>
! 9:
! 10: signed packages are ar archives:
! 11:
! 12: +PKG_HASH
! 13: +PKG_GPG_SIGNATURE
! 14: p5-DateTime-Format-W3CDTF-0.07nb1.tmp.tgz
! 15:
! 16: The tools want to sign each package as it is built. Joyent uses gpg-agent for that, so no bulk-signing toos yet, however signing packages later is not hard, so to batch sign,
! 17:
! 18: for i in $unsigned; do
! 19: mv $i ${i%.tgz}.tmp.tgz
! 20: pkg_admin gpg-sign-package ${i%.tgz}.tmp.tgz signedpkgs/$i
! 21: done
! 22:
! 23: This still wants the passphrase for every single package, so flank with gpg-agent. Does gpg-agent have an issue with chroots? It wouldn't work in the build chroot but may simply have issues due to both gnupg and gnupg2 being installed.
! 24:
! 25: pkg_install from pkgsrc currently has some issues when encountering a signed package with pkg_add: you can't install it unless you have the means to verify it first, even if you expressly do not want to verify it. Base pkg_add complains but installs.
! 26:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to pkgsig.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / users / spz