~drscream
Use GnuPG to sign pkgsrc packages
The new pkgsrc-2014Q4 release provide signed packages for SmartOS. A lot of details about the release is provided by an article from Jonathan Perkin, pkgsrc-2014Q4: LTS, signed packages, and more.
If you build your own packages it’s an good idea to sign them also by your own or company GPG key. We do this for our extra SkyLime packages until we get them upstream.
Requirements
Your development / pkgsrc build environment requires GPG to be installed. I hope you’ve an GPG key already created or find some good manual by using google (Easy GPG Cheatsheet).
I recommend installing GnuPG version 2 which provides the GPG agent feature.
pkgin in gnupg2
Configuration
You need to enable signing by GPG and provide path and key ID to your configuration files. Modify /opt/local/etc/mk.conf
and enable SIGN_PACKAGES
:
SIGN_PACKAGES= gpg
The path and GPG key ID need to be configured in /opt/local/etc/pkg_install.conf
:
GPG=/opt/local/bin/gpg2
GPG_SIGN_AS=your_gpg_key_id
Keyring
If you haven’t created the public / private key pair as the same user you’re using to build packages you need to import them to the local keyring. Be sure you’re the user who build the package.
Copy the public and private key pair to the machine into the users HOME
folder.
[build@build-pkgsrc-tm-2014q4 ~]# ls -la pkgsrc/
-rw-r--r-- 1 build build 3086 Mar 26 15:32 pkgsrc_pkg_sig.pub
-r-------- 1 build build 6687 Mar 26 15:32 pkgsrc_pkg_sig.sec
Verify that the keys and fingerprints are correct and import them to the local keyring for the build
user.
gpg --import pkgsrc/*
Use GnuPG agent
If you building a lot of packages at the same time you wouldn’t like to insert the GnuPG passphrase on every build. So I recommend using the GPG agent which save the passphrase for some time.
Modify or add the following lines to your ~/.bashrc
:
envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export GPG_TTY=$(tty) # if it don't find the tty we're the tty (required by zlogin)
Enable GPG agent in the default GPG configuration file ~/.gnupg/gpg.conf
by adding the following line:
use-agent
Increase the timeout for the passphrase and maybe specify the path to the pinentry program in ~/.gnupg/gpg-agent.conf
:
default-cache-ttl 43200 # seconds
pinentry-program /opt/local/bin/pinentry
Your public key to pkgsrc keyring
Signing a package isn’t all, the signature needs to be trusted by pkgin
, pkg_add
and other commands. On SmartOS the pkgsrc keyring is stored in /opt/local/etc/gnupg/pkgsrc.gpg
. You could check the /opt/local/etc/pkg_install.conf
configuration file for the correct path.
Download the public GPG key or copy the public GPG key from your local machine to the SmartOS zone. Verify the fingerprint of the downloaded GPG key if it is matching the fingerprint that you expecting.
Are you sure you’ve verified the fingerprint that it is correct?
Import your GPG public key to the pkgsrc keyring:
gpg --primary-keyring /opt/local/etc/gnupg/pkgsrc.gpg --import pkgsrc_pkg_sig.pub
Send your comment by mail.