I've got a problem with package signing (or validation more to the point), but I'm unsure if I've got it right yet..
Using:
- pkgbuild image d11a6444-c732-11e8-ad33-af7cfa11c61b
- instructions from https://github.com/joyent/pkgsrc-legacy/wiki/pkgdev:signing
- using run-sandbox 2018Q3-x86_64 for an env.
- unsure where the gpg2 comes from in the sandbox, so I've done a "pkg_add gnupg2" in the sandbox itself - is that the correct procedure? it wasn't clean in the above instructions. (gnupg2-2.2.10)
- build and signs a package fine, using key from agent.
- key also imported to pkgsrc.gpg and can be seen with --list-keys.
--root@pkgsrc-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> file /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
/data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz: current ar archive, not a dynamic executable or shared object
but, attempting to do a pkg_add results in:
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> pkg_add /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
recog_userid: not 13
recog_primary_key: not userid
short pubring recognition???
Ignoring unusual/reserved signature subpacket 33
pkg_add: unable to verify signature: Signature key id 51c870862222c685 not found
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
Interestingly, that key id above is from the middle part of my key, not the end.. I tried both short and long versions of the key - no difference.. using the middle part of the key doesn't actually match it. Is there a problem with the key lengths and/or compatibility and the code embedded in pkg_add vs gnupg2? or have I just stuffed up somewhere?
..............51c870862222c685..........
8860B35B7701C351C870862222C68512FBA0CD5B
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> more /opt/local/etc/pkg_install.conf
GPG=/opt/local/bin/gpg2
#GPG_SIGN_AS=8860B35B7701C351C870862222C68512FBA0CD5B
GPG_SIGN_AS=FBA0CD5B
GPG_KEYRING_VERIFY=/opt/local/etc/gnupg/pkgsrc.gpg
PKG_PATH=/data/packages/SmartOS/2018Q3/x86_64/All;http://0.0.0.0:8080/packages/SmartOS/2018Q3/x86_64/All
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> gpg --no-default-keyring --keyring=/opt/local/etc/gnupg/pkgsrc.gpg --list-keys
gpg: NOTE: trustdb not writable
/opt/local/etc/gnupg/pkgsrc.gpg
-------------------------------
pub 4096R/FAA66EE0 2015-02-03
uid Joyent Package Signing <pkgsrc@joyent.com>
sub 4096R/1B1CF4CC 2015-02-03
sub 4096R/DE817B8E 2015-02-03
pub 4096R/FBA0CD5B 2018-12-06
uid xxxxxx pkgsrc key <xxxx@xxxxxxxxx>
sub 4096R/3F0325C9 2018-12-06
Any help would be much appreciated..
I've got a problem with package signing (or validation more to the point), but I'm unsure if I've got it right yet..
Using:
--root@pkgsrc-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> file /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
/data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz: current ar archive, not a dynamic executable or shared object
but, attempting to do a pkg_add results in:
Interestingly, that key id above is from the middle part of my key, not the end.. I tried both short and long versions of the key - no difference.. using the middle part of the key doesn't actually match it. Is there a problem with the key lengths and/or compatibility and the code embedded in pkg_add vs gnupg2? or have I just stuffed up somewhere?
Any help would be much appreciated..