Re: Handling GPG signatures for pkgsrc with netpgp

To: tech-pkg%netbsd.org@localhost
Subject: Re: Handling GPG signatures for pkgsrc with netpgp
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: 2017年2月16日 01:07:27 +0100

		Hi Alistair, tech-pkg@,
On 03/02/2017 19:05, Alistair Crooks wrote:

Sorry, thought I'd already given the go-ahead to commit your changes; I
certainly don't want to be a roadblock in these kind of things.

Understood, thank you :)

I currently do not have much time to look at this, but with yourapproval, I will try to commit the changes as soon as I get the chance.There is an issue though: I believe you are the official upstream fornetpgp, and I could not find any public repository for it. My intentionwas therefore to make sure these patches would be approved and findtheir way there first.Alternatively I can commit the changes in both NetBSD's src and pkgsrctree. It will be a bit complicated in pkgsrc though, since multiple,unrelated changes will be split across many patch files.Do you think we could work on a solution in this regard? Would it bepossible to work on netpgp in a public repository, issue new releasesfrom this repository and host them somewhere?

Incidentally, you may want to update your cert on edgebsd - chrome tells
me "NET::ERR_CERT_AUTHORITY_INVALID" for git.edgebsd.org
<http://git.edgebsd.org>

I am working on this, and have imported security/py-acme-tiny to fix itwith a certificate signed by Let's Encrypt.

Cheers,
-- khorben

On 2 February 2017 at 14:35, Pierre Pronchery <khorben%defora.org@localhost
<mailto:khorben%defora.org@localhost>> wrote:
 Hi tech-pkg@,
 I would like to mention that I have made good progress in the
 context of handling GPG signatures for pkgsrc with netpgp instead of
 GnuPG, and I am now able to use netpgp to both generate and verify
 signed binary packages from pkgsrc! Some bugs are still lurking, but
 this is a start.
 It currently requires applying the packages attached, and setting
 the gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:
 GPG=/usr/local/bin/gpg2netpgp
 There is a security issue with this setup - without being a
 regression though. Long story short, it is possible to fool netpgp
 into reporting what looks like a detached signature as being
 successfully verified, whereas it will look at content within the
 signature instead of the file to verify. I have no patch to fix this
 yet.
 I sent these patches to agc@ and security-officer@ for review back
 on October 10th when I had more time to work on this, but I need to
 carry on so I am posting it here. As usual clones of my work
 repositories can be found there:
 https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary
 <https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary>
 Being cryptography software and not my own code in the first place,
 I will appreciate a green light before committing any of these. This
 is quite exciting though, as save for a few issues remaining, it is
 no longer necessary to bootstrap GnuPG to import keys or support
 signed packages :)
 Cheers,
 -- khorben
 On 05/10/2016 01:57, Pierre Pronchery wrote:
 I thought you might want to know, I have managed to create
 GPG-signed
 binary packages with pkgsrc, using netpgp alone (and without any
 additional patch) thanks to the wrapper attached. It only requires
 setting GPG=gpg2netpgp in pkg_install.conf.
 By the way, I am writing to you directly assuming you are the
 official
 maintainer for netpgp; please let me know if there is a different
 upstream nowadays.
 Cheers!
 -- khorben
 On 08/09/2016 17:57, Pierre Pronchery wrote:
 On 09/ 8/16 09:24 AM, Alistair Crooks wrote:
 Thanks for your mail and patch.
 I'll have a look at this one tomorrow, it's a bit late
 tonight.
 I have found another crash, if netpgpkeys fails to import a
 key while
 the keyring is still empty:
 $ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
 netpgp: warning homedir "/tmp/nonexistent" not found
 /tmp/nonexistent/pubring.gpg: No such file or directory
 Can't read pubring /tmp/nonexistent/pubring.gpg
 Can't read pub keyring
 Segmentation fault
 The patch attached fixes this issue.
 HTH,
 -- khorben
 On 7 September 2016 at 08:48, Pierre Pronchery
 <khorben%defora.org@localhost <mailto:khorben%defora.org@localhost>
 <mailto:khorben%defora.org@localhost <mailto:khorben%defora.org@localhost>>>
 wrote:
 Hi Alistair,
 I hope you are doing good. I have encountered this
 bug in NetPGP:
 $ netpgpkeys --import-key
 Segmentation fault
 In this case, I would expect netpgpkeys to either
 bail, or read keys
 from the standard input. I have written a patch for
 the latter,
 which I am attaching here.
 Let me know what you think.
 Cheers,
 --
 khorben

--
khorben

References:
- Handling GPG signatures for pkgsrc with netpgp
  - From: Pierre Pronchery
- Re: Handling GPG signatures for pkgsrc with netpgp
  - From: Alistair Crooks

Prev by Date: Re: p5-File-ReadBackwards Checksum SHA512 mismatch
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Re: Handling GPG signatures for pkgsrc with netpgp
Next by Thread: Re: Handling GPG signatures for pkgsrc with netpgp
Indexes:

Home | Main Index | Thread Index | Old Index