Sign pkgsrc packages manually

Starting a post with "this is only a workaround and you should only use it if you sure what you're doing" is maybe not the best start but anyway: This is only a workaround if you missed to sign your package or would like todo it for your home environment!

Please have a look at pkgbuild from Jonathan which provides most features to have a nice build environment for pkgsrc.

To sign a package manually and not during the build process you could use the pkg_admin tool. The tool provides an argument gpg-sign-package which allow you to sign packages with GPG based on your mk.conf file.

It's required to have your GPG environment ready and working. So you need an public/private key pair in your trust store which you could use for signing the package. It's not required to have gpg-agent or anything running but if not you need so insert your password on each package you like to sign.

The following variables need to be configured in your mk.conf:

# Set your gpg key ID to the following variable
GPG_SIGN_AS=your_gpg_id
# Set the path to the GPG binary
GPG=/opt/pkg/bin/gpg

After this is done you could use the pkg_admin command to sign you package:

$ pkg_admin gpg-sign-package unsigned/vim-nox-8.0.0086.tgz signed/vim-nox-8.0.0086.tgz

Because I'm a little bit lazy and only need to variables in the mk.conf I've created the following script which use a temporary mk.conf file for signing:

#!/usr/bin/env bash

GPG_SIGN_AS=your_gpg_id
MK_CONF=$(mktemp -q /tmp/mk-conf.XXXXXXXX)

cat <<EOF >> ${MK_CONF}
GPG_SIGN_AS=${GPG_SIGN_AS}
GPG=$(which gpg)
EOF

pkg_admin -C ${MK_CONF} gpg-sign-package $@
rm "${MK_CONF}"

Posted

January 02, 2017, 11:00 am

Tags

, , , ,

More

Permalink

Comments

Send your comment by mail.