Menu
▾
▴
#57 add gpg signing of packages
closed
None
active as of 6.0
Packages
major
4.0
enhancement
2021-03-06
2011-07-16
No
As Erich pointed out we don't support any sort of package signing yet.
To start discussion, I created a buildtool setup for gpg, where only gpgv is packaged. The way it's build, there are no further requirements (like libreadline). Maybe gpgv can be added to config package instead an package of its own.
Next we do need a gpg key for the team, where the public key will be added to /root/.gnupg/trustedkeys.gpg.
Third buildtool.pl needs to be enahnced to build a signature for a given lrp and to save it in to <packagename>.gpg.
We can upload lrp and gpg files in to binary repository if we update a lrp package.
Users can download both and check the signature before running apkg:
firewall# gpgv -v gnupg.gpg gnupg.lrp
gpgv: armor header: Version: GnuPG v1.4.10 (GNU/Linux)
gpgv: Signature made Sat Jul 16 16:07:26 2011 METDST using DSA key ID 0858BFA3
gpgv: Good signature from "Bering-uClibc Team <leaf- user@‌>"
gpgv: binary signature, digest algorithm SHA256
Comments are welcome.
buildpacket.pl has been changed for "next" branch to optionally create a file with a signature for an lrp package with the parameter --sign..
The key choosen is the one of the packager in buildtool.conf and the passphrase should be added in buildconf.conf.
tools/buildall-signed.sh has been added to create all packages with an accompanying signature file.
The public of the developer has to be imported to trustedkeys.gpg:
TODO:
- Add the signature files to our PACKAGES web page.
- How to distribute the public keys?
- How to add it to the router/preferrably integrate it into apkg...
- How to import files into trustedkeys.gpg?
As a first step I committed Dec 2012:
A new commandline option -v (verify) in apkg.
apkg -v [path]Package[.lrp] checks if the signature given in Package.gpg is valid.
Committed a trustedkeys.gpg with a first key (a new one owned by myself) in /root/.gnupg and packaged in config.lrp.
To add a new key run the command above and replace the --keyring with repo/config/trustedkeys.gpg.
To create a Package.gpg run buildpacket.pl with the option --sign (or tools/buildall-signed.sh when building all packages at once. In that case add the gpg passphrase to conf/buildtool.local for your convenience).
Todo:
- get rid of libiconv.lrp as requirement for gpgv
- key-signing
- perhaps adding gpg to gnupg.lrp so we can new keys within the LEAF box
- add gnupg.lrp to the images
Diff:
Hi KP
Am 07.03.2019 um 12:41 schrieb "KP Kirchdörfer" :
As current requiements have shown, this is not the case. We don't need
another name for signed packages. With initrd and upgrade handling
signed and/or unsigned packages we should drop unsigned packages any ime
soon.
There are a few loopholes though
1) What happens o locally generated packages?
We need to emphasize that any locally genrated package is not a
package from the official distribution, therefore marking this package
as unsigned as it is the case with the current initrd appears to be
justified.
2) Can we generate signed packages locally e.g. a signed confidb ?
Actually this is not the case. My personal feeling is yes we could and
we should. It requires some more code in the apkg script and it would
require for each user to generate a key and add it to the keyring.
Unfortunaely the keyring used in initrd is the one generated centrally.
The keyring needed to verify local packages would be saved in the
configdb itself. So the current environment makes it very difficult to
handle keys in a simple way.
To overcome such limitations we would need to find a way to make the
keyrings more flexible which would make them more vulnerable though.
cheers
ET
Related
Tickets:
#57Added in 6.1/6.2
Works with update.
Still needs support in images build
This Feature is active as of 6.0