Quantcast

Handle updates and pkg_sign question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Handle updates and pkg_sign question

Panagiotis Atmatzidis
Hi,

I managed to create proper packages using "pkg_create" for two versions
of "mypkg". Now I'm trying to handle upgrades and signatures.

Although I'm setting the "FULLPKGPATH" options, upgrades are not handled
cleanly:

----
sudo pkg_add -D unsigned -Uvv -i mypkg-3.99.2228-obsd6.tgz
Update candidates: quirks-2.241 -> quirks-2.241
quirks-2.241 signed on 2016-07-26T16:56:10Z
No change in quirks-2.241
parsing mypkg-3.99.2228-obsd6
Skipping mypkg-3.0.1865-obsd6 (update candidate for
mypkg-3.0.1865-obsd6)
        mypkg-3.0.1865-obsd6 pkgpaths:
        mypkg-3.0.1865-obsd6 pkgpaths:
Skipping mypkg-3.99.2228-obsd6 (update candidate for
mypkg-3.0.1865-obsd6)
        mypkg-3.0.1865-obsd6 pkgpaths:
        mypkg-3.99.2228-obsd6 pkgpaths:
No need to update mypkg-3.0.1865-obsd6
[mypkg-3.0.1865-obsd6]mypkg-3.99.2228-obsd6: internal conflict between
mypkg-3.99.2228-obsd6 and mypkg-3.0.1865-obsd6
----

How does "pkg_add" handle updates? The creation of the package is made
using the following command:

----
pkg_create -A $arch \
           -d $pkg_desc \
           -f $pkg_list \
           -B $base \
           -p $prefix \
           -D COMMENT="$comment" -D MAINTAINER="$maintainer" -D
           FULLPKGPATH=$prefix \
           "nxlog-$version-$osrel.tgz"
----

Note that prefix is "/opt/mypkg" in my case. I thought that setting  "
FULLPKGPATH=" pkg_add will handle updates based on version numbers
alone. I don't use any "conflict" keywords.

I'm trying to use signify to distribute packages as safely as possible.
First off, thanks to Ted for signify, it's very easy to work with.

Apart from creating and signings SHA files I'd like to know why OpenBSD
complains with "Couldn't check signature" since the pub key is under
"/etc/signify/" ?

----
$ pkg_sign -s signify -s mypkg-signify.key -o signed/ -S packages/

$ pkg_info -d signed/mypkg-3.99.2228-obsd6.tgz
 Package signed by untrusted party mypkg-signify.key
 Fatal error: Couldn't check signature for mypkg-3.99.2228-obsd6.tgz
  at /usr/libdata/perl5/OpenBSD/PkgInfo.pm line 397.

$ ls -l /etc/signify/mypkg-signify.key.pub
 -rw-r--r--  1 root  wheel  109 Mar 17 12:52
 /etc/signify/mypkg-signify.key.pub
----

Same errors come up with -C and -S of course.

Thanks!

--
Panagiotis (atmosx) Atmatzidis

email:  [hidden email]
URL:    http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

"Everyone thinks of changing the world, but no one thinks of changing
himself.” - Leo Tolstoy

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Handle updates and pkg_sign question

Panagiotis Atmatzidis
Hi again,

> On 17 Mar 2017, at 14:22, Panagiotis Atmatzidis <[hidden email]>
wrote:

>
> Hi,
>
> I managed to create proper packages using "pkg_create" for two versions
> of "mypkg". Now I'm trying to handle upgrades and signatures.
>
> Although I'm setting the "FULLPKGPATH" options, upgrades are not handled
> cleanly:
>
> ----
> sudo pkg_add -D unsigned -Uvv -i mypkg-3.99.2228-obsd6.tgz
> Update candidates: quirks-2.241 -> quirks-2.241
> quirks-2.241 signed on 2016-07-26T16:56:10Z
> No change in quirks-2.241
> parsing mypkg-3.99.2228-obsd6
> Skipping mypkg-3.0.1865-obsd6 (update candidate for
> mypkg-3.0.1865-obsd6)
>        mypkg-3.0.1865-obsd6 pkgpaths:
>        mypkg-3.0.1865-obsd6 pkgpaths:
> Skipping mypkg-3.99.2228-obsd6 (update candidate for
> mypkg-3.0.1865-obsd6)
>        mypkg-3.0.1865-obsd6 pkgpaths:
>        mypkg-3.99.2228-obsd6 pkgpaths:
> No need to update mypkg-3.0.1865-obsd6
> [mypkg-3.0.1865-obsd6]mypkg-3.99.2228-obsd6: internal conflict between
> mypkg-3.99.2228-obsd6 and mypkg-3.0.1865-obsd6
> ----
>
> How does "pkg_add" handle updates? The creation of the package is made
> using the following command:
>
> ----
> pkg_create -A $arch \
>           -d $pkg_desc \
>           -f $pkg_list \
>           -B $base \
>           -p $prefix \
>           -D COMMENT="$comment" -D MAINTAINER="$maintainer" -D
>           FULLPKGPATH=$prefix \
>           "nxlog-$version-$osrel.tgz"
> ----
>
> Note that prefix is "/opt/mypkg" in my case. I thought that setting  "
> FULLPKGPATH=" pkg_add will handle updates based on version numbers
> alone. I don't use any "conflict" keywords.
>
> I'm trying to use signify to distribute packages as safely as possible.
> First off, thanks to Ted for signify, it's very easy to work with.
>
> Apart from creating and signings SHA files I'd like to know why OpenBSD
> complains with "Couldn't check signature" since the pub key is under
> "/etc/signify/" ?
>
> […]

I figured this part. Signify is very picky about filename structure. I had
used the extension “.key” instead of “sec”. The docs[1] and a bit of
experimenting helped me a bit.
I still can’t figure out how to handle upgrades using the -U flag.


[1] https://www.openbsd.org/faq/faq15.html#PkgSig
<https://www.openbsd.org/faq/faq15.html#PkgSig>

--
Panagiotis (atmosx) Atmatzidis

email: [hidden email]
URL: http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

"Everyone thinks of changing the world, but no one thinks of changing
himself.” - Leo Tolstoy

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Loading...