FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 10-30-2011, 09:50 PM
Allan McRae
 
Default sign packages on alderaan

On 31/10/11 06:09, Daniel Isenmann wrote:

On Sun, 30 Oct 2011 19:06:21 +0100
Florian Pritz<bluewind@xinu.at> wrote:


On 30.10.2011 18:56, Daniel Isenmann wrote:

I'm building my packages exclusive on pkgbuild.com and there I can't
sign packages. If we do the switch in dbscripts then pkgbuild.com
should be ready to generate signed packages. As far as I know it
isn't possible yet, am I right?


So far the only solution is to download the finished package, sign it
locally using gpg --detach-sign<file> and then uploading the
signature back to pkgbuild.com so commitpkg will find it.

There has been some discussion [1] about remote signing for GPG, but I
think they dropped the idea.

[1]:
http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html


Kerrick Staley last comment [1] on this thread was that they will go
with the hash-signing implementation. But it seems that there is
nothing new on this topic.

[1]:
http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html



I'd be much more interested in a patch that actually lets you do remote
signing than a discussion that went nowhere...


http://lists.gnupg.org/pipermail/gnupg-devel/2011-July/026170.html

But then again, that patch went nowhere in the end too as far as I can tell.

Allan
 
Old 11-11-2011, 10:56 PM
Ionut Biru
 
Default sign packages on alderaan

On 11/12/2011 01:43 AM, Ray Rashif wrote:
> On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
>>> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>>>> So far the only solution is to download the finished package, sign it
>>>> locally using gpg --detach-sign <file> and then uploading the signature
>>>> back to pkgbuild.com so commitpkg will find it.
>>>
>>> Did something change WRT this workflow now? I'm getting
>>> signature-incorrect from commitpkg. I did sign like this 2 times
>>> before (opencv and cinelerra-cv), so it did work recently. gpg
>>> --verify outputs:
>>>
>>> gpg: Can't check signature: public key not found
>>>
>>> But this is normal, and the public key was not there for the previous
>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>>> need to import my public key on alderaan?
>>
>> Is your key in your keychain on alderaan? Probably not from what this
>> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>>
>> -Dan
>>
>
> Nope. That was what I was asking - whether I need to add it. The last
> 2 times that I pushed signed packages from alderaan I didn't do
> anything gpg-related remotely.
>
> Anyway, imported the key now so all is good again.
>
>
> --
> GPG/PGP ID: C0711BF1

don't import any key on alderaan.

is a devtools requirement that a signature must exist to enforce
packagers to sign their packages. Imo we should try to do that
optionally on alderaan or even better, use svn commit and commitpkg only
locally after copying the packages.


--
IonuČ›
 
Old 11-11-2011, 10:59 PM
Dan McGee
 
Default sign packages on alderaan

On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru <ibiru@archlinux.org> wrote:
> On 11/12/2011 01:43 AM, Ray Rashif wrote:
>> On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
>>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
>>>> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>>>>> So far the only solution is to download the finished package, sign it
>>>>> locally using gpg --detach-sign <file> and then uploading the signature
>>>>> back to pkgbuild.com so commitpkg will find it.
>>>>
>>>> Did something change WRT this workflow now? I'm getting
>>>> signature-incorrect from commitpkg. I did sign like this 2 times
>>>> before (opencv and cinelerra-cv), so it did work recently. gpg
>>>> --verify outputs:
>>>>
>>>> gpg: Can't check signature: public key not found
>>>>
>>>> But this is normal, and the public key was not there for the previous
>>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>>>> need to import my public key on alderaan?
>>>
>>> Is your key in your keychain on alderaan? Probably not from what this
>>> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>>>
>>> -Dan
>>>
>>
>> Nope. That was what I was asking - whether I need to add it. The last
>> 2 times that I pushed signed packages from alderaan I didn't do
>> anything gpg-related remotely.
>>
>> Anyway, imported the key now so all is good again.
>>
>>
>> --
>> GPG/PGP ID: C0711BF1
>
> don't import any key on alderaan.

Hmm?

He is trying to *verify*, meaning he needs his *public* key. This has
nothing to do with signing or private keys. It make a heck of a lot
more sense bandwidth-wise for him to upload the signature file to
alderaan than upload both the package and signature from his local
machine, so why should he not be able to do that? The `gpg --verify`
call is there to make sure developers don't accidentally upload
mismatched packages and corresponding signature files, which could
easily happen when doing test builds and --nosign, etc.

-Dan
 
Old 11-11-2011, 11:04 PM
Ionut Biru
 
Default sign packages on alderaan

On 11/12/2011 01:59 AM, Dan McGee wrote:
> On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru <ibiru@archlinux.org> wrote:
>> On 11/12/2011 01:43 AM, Ray Rashif wrote:
>>> On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
>>>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
>>>>> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>>>>>> So far the only solution is to download the finished package, sign it
>>>>>> locally using gpg --detach-sign <file> and then uploading the signature
>>>>>> back to pkgbuild.com so commitpkg will find it.
>>>>>
>>>>> Did something change WRT this workflow now? I'm getting
>>>>> signature-incorrect from commitpkg. I did sign like this 2 times
>>>>> before (opencv and cinelerra-cv), so it did work recently. gpg
>>>>> --verify outputs:
>>>>>
>>>>> gpg: Can't check signature: public key not found
>>>>>
>>>>> But this is normal, and the public key was not there for the previous
>>>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>>>>> need to import my public key on alderaan?
>>>>
>>>> Is your key in your keychain on alderaan? Probably not from what this
>>>> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>>>>
>>>> -Dan
>>>>
>>>
>>> Nope. That was what I was asking - whether I need to add it. The last
>>> 2 times that I pushed signed packages from alderaan I didn't do
>>> anything gpg-related remotely.
>>>
>>> Anyway, imported the key now so all is good again.
>>>
>>>
>>> --
>>> GPG/PGP ID: C0711BF1
>>
>> don't import any key on alderaan.
>
> Hmm?
>
> He is trying to *verify*, meaning he needs his *public* key. This has
> nothing to do with signing or private keys. It make a heck of a lot
> more sense bandwidth-wise for him to upload the signature file to
> alderaan than upload both the package and signature from his local
> machine, so why should he not be able to do that? The `gpg --verify`
> call is there to make sure developers don't accidentally upload
> mismatched packages and corresponding signature files, which could
> easily happen when doing test builds and --nosign, etc.
>
> -Dan


well, i understood that he signed the package on alderaan...

--
IonuČ›
 
Old 11-12-2011, 11:55 AM
Ray Rashif
 
Default sign packages on alderaan

On 12 November 2011 08:04, Ionut Biru <ibiru@archlinux.org> wrote:
> On 11/12/2011 01:59 AM, Dan McGee wrote:
>> On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru <ibiru@archlinux.org> wrote:
>>> On 11/12/2011 01:43 AM, Ray Rashif wrote:
>>>> On 12 November 2011 07:35, Dan McGee <dpmcgee@gmail.com> wrote:
>>>>> On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif <schiv@archlinux.org> wrote:
>>>>>> On 31 October 2011 02:06, Florian Pritz <bluewind@xinu.at> wrote:
>>>>>>> So far the only solution is to download the finished package, sign it
>>>>>>> locally using gpg --detach-sign <file> and then uploading the signature
>>>>>>> back to pkgbuild.com so commitpkg will find it.
>>>>>>
>>>>>> Did something change WRT this workflow now? I'm getting
>>>>>> signature-incorrect from commitpkg. I did sign like this 2 times
>>>>>> before (opencv and cinelerra-cv), so it did work recently. gpg
>>>>>> --verify outputs:
>>>>>>
>>>>>> gpg: Can't check signature: public key not found
>>>>>>
>>>>>> But this is normal, and the public key was not there for the previous
>>>>>> 2 times. Or was gpg --verify not there in commitpkg before? Do I now
>>>>>> need to import my public key on alderaan?
>>>>>
>>>>> Is your key in your keychain on alderaan? Probably not from what this
>>>>> looks like. Easy to check- `gpg --list-keys 0xfoobar`.
>>>>>
>>>>> -Dan
>>>>>
>>>>
>>>> Nope. That was what I was asking - whether I need to add it. The last
>>>> 2 times that I pushed signed packages from alderaan I didn't do
>>>> anything gpg-related remotely.
>>>>
>>>> Anyway, imported the key now so all is good again.
>>>>
>>>>
>>>> --
>>>> GPG/PGP ID: C0711BF1
>>>
>>> don't import any key on alderaan.
>>
>> Hmm?
>>
>> He is trying to *verify*, meaning he needs his *public* key. This has
>> nothing to do with signing or private keys. It make a heck of a lot
>> more sense bandwidth-wise for him to upload the signature file to
>> alderaan than upload both the package and signature from his local
>> machine, so why should he not be able to do that? The `gpg --verify`
>> call is there to make sure developers don't accidentally upload
>> mismatched packages and corresponding signature files, which could
>> easily happen when doing test builds and --nosign, etc.
>>
>> -Dan
>
>
> well, i understood that he signed the package on alderaan...

Then you misunderstood. My reply to the topic meant I was referring to
the only workaround to "sign packages on alderaan", which is to build,
download packages, sign locally, upload signatures, and then push
wholesale.

I followed that process on 2 previous occasions and there was no
complaint even when there was no public key on the remote machine, but
this time commitpkg complained about the signatures. So I only wanted
to know whether I did anything wrong.

Anyway, it's now evident that the verification was not there before.
Importing a public key poses no risk (done with --recv-keys), so there
is also no need to change anything in commitpkg.


--
GPG/PGP ID: C0711BF1
 

Thread Tools




All times are GMT. The time now is 12:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org