~drscream

Use GnuPG to sign pkgsrc packages

The new pkgsrc-2014Q4 release provide signed packages for SmartOS. A lot of details about the release is provided by an article from Jonathan Perkin, pkgsrc-2014Q4: LTS, signed packages, and more.

If you build your own packages it’s an good idea to sign them also by your own or company GPG key. We do this for our extra SkyLime packages until we get them upstream.

Requirements

Your development / pkgsrc build environment requires GPG to be installed. I hope you’ve an GPG key already created or find some good manual by using google (Easy GPG Cheatsheet).

I recommend installing GnuPG version 2 which provides the GPG agent feature.

pkgin in gnupg2

Configuration

You need to enable signing by GPG and provide path and key ID to your configuration files. Modify /opt/local/etc/mk.conf and enable SIGN_PACKAGES:

SIGN_PACKAGES=	gpg

The path and GPG key ID need to be configured in /opt/local/etc/pkg_install.conf:

GPG=/opt/local/bin/gpg2
GPG_SIGN_AS=your_gpg_key_id

Keyring

If you haven’t created the public / private key pair as the same user you’re using to build packages you need to import them to the local keyring. Be sure you’re the user who build the package.

Copy the public and private key pair to the machine into the users HOME folder.

[build@build-pkgsrc-tm-2014q4 ~]# ls -la pkgsrc/
-rw-r--r-- 1 build build 3086 Mar 26 15:32 pkgsrc_pkg_sig.pub
-r-------- 1 build build 6687 Mar 26 15:32 pkgsrc_pkg_sig.sec

Verify that the keys and fingerprints are correct and import them to the local keyring for the build user.

gpg --import pkgsrc/*

Use GnuPG agent

If you building a lot of packages at the same time you wouldn’t like to insert the GnuPG passphrase on every build. So I recommend using the GPG agent which save the passphrase for some time.

Modify or add the following lines to your ~/.bashrc:

envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
else
    eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO  # the env file does not contain the export statement
export GPG_TTY=$(tty)  # if it don't find the tty we're the tty (required by zlogin)

Enable GPG agent in the default GPG configuration file ~/.gnupg/gpg.conf by adding the following line:

use-agent

Increase the timeout for the passphrase and maybe specify the path to the pinentry program in ~/.gnupg/gpg-agent.conf:

default-cache-ttl 43200 # seconds
pinentry-program /opt/local/bin/pinentry

Your public key to pkgsrc keyring

Signing a package isn’t all, the signature needs to be trusted by pkgin, pkg_add and other commands. On SmartOS the pkgsrc keyring is stored in /opt/local/etc/gnupg/pkgsrc.gpg. You could check the /opt/local/etc/pkg_install.conf configuration file for the correct path.

Download the public GPG key or copy the public GPG key from your local machine to the SmartOS zone. Verify the fingerprint of the downloaded GPG key if it is matching the fingerprint that you expecting.

Are you sure you’ve verified the fingerprint that it is correct?

Import your GPG public key to the pkgsrc keyring:

gpg --primary-keyring /opt/local/etc/gnupg/pkgsrc.gpg --import pkgsrc_pkg_sig.pub

Send your comment by mail.