pkg
pkg copied to clipboard
freebsd
pkg fails to validate rsa signature on 14.0-CURRENT
# FreeBSD pkgbase repo
FreeBSD-base: {
url: "https://alpha.pkgbase.live/current/${ABI}/latest",
signature_type: "pubkey",
pubkey: "/usr/local/etc/pkg/keys/alpha.pkgbase.live.pub",
enabled: yes
}
# pkg update -r FreeBSD-base
Updating FreeBSD-base repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 33 KiB 33.6kB/s 00:01
pkg: -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzDfoZOk0NuqVWDJ2LzVW
z9onPADyoHiI0umk+udHZQDJHGvalD6YBbtCSBcSU0fKj7M8znS80QwpQYkWqxAz
KfWyJHgVKlTvVJKpBaandPEy92dXNqIcyUF/nqPRhgU0KOqDRw40guiweiFDwYK1
gr3HBzJR8S02xmkBIKy2UBckheZum0hUGS4bCtpH/fDi2eqpH+7oepGIz4kozZkO
j2SjQZAg2+hdfJtqyLJ5x8LIpga8HgCcdlK6qdZDh7lf2Q/dPC9JDITDlIQaM8EK
b/R1JoVc04jtN+lpV1PueFA0S91Xb4KHpI5VNjJMj/Dda7rvpC2SUDa7PQZyDRgS
Bs/eF35lO1elV3oJHPbG1BcmhozMZWSAv99D5fnbZlwqq16gmK6eJlb+WgMzuyop
yk8oH6TCea/WB3hrL0Kir2qHWgKYZO+wH3f+FrLYexOYai/JIafETMccA4YmFJHz
UpygnerRM5z1JszbQMGRO9W8Q/8HH7IU42trPPQF25I7TJSYeP7beV1KjwCFIzQ3
i3/YY4KTwbkqVyf4msgRqxCPhOKQ44+aFg1fOvd+v3TIZp/KjOXddV6EbkaF7iNz
3mILnR2zXjyp3BXFIRw4r5tSgjhaZuVWyAFXo6WzBY6ig+NbAMbQezGheATTdPhm
Z3/0G5JBPJbDWRVUmlxAQz8CAwEAAQ==
-----END PUBLIC KEY-----
: rsa signature verification failure
pkg: Invalid signature, removing repository.
Unable to update repository FreeBSD-base
Error updating repositories!
This works fine on 13-STABLE and 13.2-RELEASE, so I suspect it's got something to do with OpenSSL 3.0
@igalic did you figure out a workaround for this? I'm seeing it on a 14.0-ALPHA1 VM running 'pkg update' directed to my home lab pkgbase builder. A 13-STABLE VM doesn't show the problem for me either.
unfortunately, no. the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything
This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt
could you submit that as pull request? i can't even look at the patch (on my phone, the computer i use 90% of the time)
@ttyva your patch break backward compatibility hence why it hasn't been done like describe in the commit log
This is still a problem with 1.20.9. Poudriere uses the jail's pkg for signing the repo. So for me 13.2 jail pkg signing and later a 14.0 host with pkg -j fails to validate the signature. It needs to be forward compatible somehow.
This seems to be from b4d2e2f. Forcing pkg to always use the OpenSSL 3.0 stuff in libpkg/rsa.c fixes signing for -CURRENT from -STABLE for me. patch-libpkg_rsa.txt
I dropped this patch in my pkg port to always use the new signature (even on openssl111 jails) and now my jails are again working. (Also spawned the need for a Poudriere feature to force rebuild pkg without deleting all packages. I'll push that out at some point).
Ran into the same issue today: I distribute packages from my 13.2-based host, while building them on/for a 14.0 box. For security, packages are signed on the 13.2-based host, which now fails.
This has been open for quite some time now. Can we maybe get a fix committed?
the workaround @bapt suggested on IRC to use pkg from 14 for signing didn't accomplish anything
Actually signing on 14 and installing on 13 works for me, but only after I update pkg as the old one from 13 is not good enough.
On a TrueNAS of mine I have the following startup script in order to use my own packages (signed from 14):
rm /usr/local/etc/pkg/repos/FreeBSD.conf /usr/local/etc/pkg/repos/local.conf
cp my-repos/* /usr/local/etc/pkg/repos/
pkg install -yr FreeBSD pkg
pkg install -y node_exporter vmutils …
Doing the second pkg install directly would fail as it cannot parse my repo's signature, but first forcing a pkg update from repo FreeBSD solves it for me.
