Use GnuPG to sign pkgsrc packages
The new pkgsrc-2014Q4 release provide signed packages for SmartOS. A lot of details about the release is provided by an article from Jonathan Perkin, pkgsrc-2014Q4: LTS, signed packages, and more.
If you build your own packages it’s an good idea to sign them also by your own or company GPG key. We do this for our extra SkyLime packages until we get them upstream.
Your development / pkgsrc build environment requires GPG to be installed. I hope you’ve an GPG key already created or find some good manual by using google (Easy GPG Cheatsheet).
I recommend installing GnuPG version 2 which provides the GPG agent feature.
pkgin in gnupg2
You need to enable signing by GPG and provide path and key ID to your configuration files. Modify
/opt/local/etc/mk.conf and enable
The path and GPG key ID need to be configured in
If you haven’t created the public / private key pair as the same user you’re using to build packages you need to import them to the local keyring. Be sure you’re the user who build the package.
Copy the public and private key pair to the machine into the users
[build@build-pkgsrc-tm-2014q4 ~]# ls -la pkgsrc/ -rw-r--r-- 1 build build 3086 Mar 26 15:32 pkgsrc_pkg_sig.pub -r-------- 1 build build 6687 Mar 26 15:32 pkgsrc_pkg_sig.sec
Verify that the keys and fingerprints are correct and import them to the local keyring for the
gpg --import pkgsrc/*
Use GnuPG agent
If you building a lot of packages at the same time you wouldn’t like to insert the GnuPG passphrase on every build. So I recommend using the GPG agent which save the passphrase for some time.
Modify or add the following lines to your
envfile="$HOME/.gnupg/gpg-agent.env" if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then eval "$(cat "$envfile")" else eval "$(gpg-agent --daemon --write-env-file "$envfile")" fi export GPG_AGENT_INFO # the env file does not contain the export statement export GPG_TTY=$(tty) # if it don't find the tty we're the tty (required by zlogin)
Enable GPG agent in the default GPG configuration file
~/.gnupg/gpg.conf by adding the following line:
Increase the timeout for the passphrase and maybe specify the path to the pinentry program in
default-cache-ttl 43200 # seconds pinentry-program /opt/local/bin/pinentry
Your public key to pkgsrc keyring
Signing a package isn’t all, the signature needs to be trusted by
pkg_add and other commands. On SmartOS the pkgsrc keyring is stored in
/opt/local/etc/gnupg/pkgsrc.gpg. You could check the
/opt/local/etc/pkg_install.conf configuration file for the correct path.
Download the public GPG key or copy the public GPG key from your local machine to the SmartOS zone. Verify the fingerprint of the downloaded GPG key if it is matching the fingerprint that you expecting.
Are you sure you’ve verified the fingerprint that it is correct?
Import your GPG public key to the pkgsrc keyring:
gpg --primary-keyring /opt/local/etc/gnupg/pkgsrc.gpg --import pkgsrc_pkg_sig.pub