Commit Graph

6 Commits

Author SHA1 Message Date
Baptiste Daroussin
61acb4582f Implement pubkey support for the bootstrap
Note that to not interfer with finger print it expects a signature on pkg itself
which is named pkg.txz.pubkeysign

To genrate it:
echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \
    -binary -out ./pkg.txz.pubkeysig

Note the "echo -n" which prevent signing the '\n' one would get otherwise

PR:		202622
MFC after:	1 week
2015-09-08 21:25:36 +00:00
Bryan Drewery
eb31a57474 Fix multi-repository support by properly respecting 'enabled' flag.
This will read the REPOS_DIR env/config setting (default is /etc/pkg
and /usr/local/etc/pkg/repos) and use the last enabled repository.

This can be changed in the environment using a comma-separated list,
or in /usr/local/etc/pkg.conf with JSON array syntax of:
    REPOS_DIR: ["/etc/pkg", "/usr/local/etc/pkg/repos"]

Approved by:	bapt
MFC after:	1 week
2013-12-12 17:59:09 +00:00
Bryan Drewery
f12db248e7 Support checking signature for pkg bootstrap.
If the pkg.conf is configured with SIGNATURE_TYPE: FINGERPRINTS,
and FINGERPRINTS: /etc/keys/pkg then a pkg.sig file is fetched along
with pkg.txz. The signature contains the signature provided by the
signing server, and the public key. The .sig is the exact output
from the signing server in the following format:

  SIGNATURE
  <openssl signed>
  CERT
  <rsa public key>
  END

The signature is verified with the following logic:

 - If the .sig file is missing, it fails.
 - If the .sig doesn't validate, it fails.
 - If the public key in the .sig is not in the known trusted fingerprints,
   it fails.
 - If the public key is in the revoked key list, it fails.

Approved by:	bapt
MFC after:	2 days
Discussed by:	bapt with des, jonathan, gavin
2013-10-26 03:43:02 +00:00
Bryan Drewery
bc5e9ac08d Add support for reading configuration files from /etc/pkg.
For now only /etc/pkg/FreeBSD.conf is supported. Its style is:

Repo: {
   URL: "...",
   MIRROR_TYPE: "...",
   ...
}

The configuration will be read from /usr/local/etc/pkg.conf if exists,
otherwise /etc/pkg/FreeBSD.conf

Approved by:	bapt
MFC after: 	2 days
2013-10-26 03:31:05 +00:00
Bryan Drewery
62940ea951 Add support for using "pkg+http://" for the PACKAGESITE.
pkg 1.2 is adding this support as well. This should help
lessen the confusion on why the default SRV PACKAGESITE
does not load in a browser.

Adapated from:	matthew's upstream pkg change
Approved by:	bapt
MFC after:	2 days
2013-10-24 10:49:55 +00:00
Baptiste Daroussin
9950eceee6 Add the ability to correctly read pkg.conf is exists.
Only look for boostrap useful options:
 - PACKAGESITE
 - ABI
 - MIRROR_TYPE
 - ASSUME_ALWAYS_YES

While here makes PACKAGESITE expand the ${ABI} variable.
Allow to deactivate any SRV record look up (MIRROR_TYPE=none)
Use the same mechanism as for pkgng itself: first get configuration out of
environment variable and fallback on pkg.conf if exists.

Reviewed by:	bdrewery
2013-03-05 13:31:06 +00:00