• Contact: Martin Husemann, tech-pkg
• Duration estimate: 1 month

We are currently not distributing official TNF binary packages with embedded signature. The pkgsrc infrastructure seems to be mostly there, but there are loose ends and this makes NetBSD fall back behind other pkgsrc users where everything needed comes with the bootstrap kit.

There have been various related experiments and discussions in the past, and the responsible persons are willing to change it now (that is: ideally have all binary pkgs for NetBSD 10 signed and verified already).

This project is about fixing the loose ends.

Intended user workflow

• the user installs a new system
• at the end of the sysinst installation the config page offers a binary pkgs setup
• the user selects a repository (with a working default) and sysinst triggers all necessary configuration and installation actions (this may involve downloads and running fixup scripts, but may not require manual intervention)
• after a reboot of the new machine, binary pkgs can be directly added and will be automatically verified (e.g.: "pkg_add firefox" or "pkg_add xfce4" will work)

Implementation details

The following drafts a possible pkgsrc/pkgbuilders/releng workflow and assumes x509 signing. This is just to make this project description clearer, the project does not require a x509 based solution.

Operational workflow for pkg creation

• Thomas Klausner (wiz) is the keeper of the pkgsrc master CA key. He creates intermediate CA keys for every developer in charge of some pkgbuilding machines, signs them with the master CA key and distributes them.
• The public part of the master CA certificate becomes part of the NetBSD release and is available as a trust anchor.
• Every developer in charge of some pkgbuild machines creates a signing key (without passphrase) from their intermediate CA key and installs it on the individual pkg build machine

Main point of the whole process is that NetBSD and pkgsrc have different release cycles, and pkg building machines come and go. We do not want a fixed set of allowed machine signing keys distributed with a (long living) NetBSD release, but we do not want to just trust whatever the binary pkg repository offers, so there needs to be proper automatic validation of all keys used for a repository against some trust anchor provided with the base system. With the current size of the project it might be manageable to have all finally used signing keys signed directly by the pkgsrc master key, but a design that allows an interim step where individual signing keys could be created by the developers in charge of the machines would be preferable.

Deliverables for this project

1. all required changes (if any) for the pkgtools and pkgsrc makefiles, or any new tools/scripts (either as a set of patches or commited).

2. a description of the overall workflow, e.g. as a wiki page or as part of the web site.

3. concrete instructions for the various parties involved in the deployment:

   • pkgsrc master key/cert handling (Thomas)
   • releng: how to make the trust anchor part of the release and what needs to be configured/done by sysinst
     • globally
     • post pkg repository selections
   • pkg build administrators: how to create signing keys and how to configure the pkgbuild machines

And of course all this needs to be tested upfront.

Bonus

If this project succeeds and does not use x509, propose removal of the bit rotted and not fully functional x509 support from pkg tools and the pkgsrc infrastructure.

Setup tried so far and how it fails

Thomas (wiz@) provided the certificate for the TNF CA, intended to be used to verify all signed binary pkgs. When everything works, this key should be part of the base system.

Thomas also created a cert+key for the test setup, signed by the TNF CA key, intended to be used to sign binary pkgs on a single pkg build setup.

The instructions for these two steps are in pkgsrc/pkgtools/pkg_install/files/x509/signing.txt - a script and a config file are in the same directory.

On the build machine, the setup is simple:

• store the keys for example in /etc/pkg-certs. The names used below are 00.pem for the TNF CA cert and pkgkey_cert for the individual builder certificate and pkgkey_key.pem for the corresponding key (which needs to have no passphrase)

• Add to /etc/mk.conf (or the equivalent in the bulk build tree)

   # signed binary pkgs, see
   # https://mail-index.netbsd.org/pkgsrc-users/2013/08/30/msg018511.html
   SIGN_PACKAGES=x509
   X509_KEY=/etc/pkg-certs/pkgkey_key.pem
   X509_CERTIFICATE=/etc/pkg-certs/pkgkey_cert.pem
  

• Add to /etc/pkg_install.conf

   VERIFIED_INSTALLATIONS=always
   CERTIFICATE_ANCHOR_PKGS=/etc/pkg-certs/pkgkey_cert.pem
   CERTIFICATE_CHAIN=/etc/pkg-certs/00.pem
  

Then create a single pkg, like:

cd /usr/pkgsrc/pkgtools/digest
make package
make install

At the end of make package you should see successful signing of the binary pkg. But the make install will fail to verify the certificate.

Note: a key point of the whole setup is to avoid having to add the content of pkgkey_cert.pem to 00.pem (or similar). We want to avoid having to distribute many (changing) keys of build machines with the base system.

An alternative solution would make the key distribution part of the initial setup (e.g. download from a fixed relative path when selecting a pkg repository URL), but no off-the-shelf tools for that currently exist.