DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th October 2019
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 207
Default 6.6 i386 pkg verification failure (wrong key) on 6.5

I can't seem to be able to verify i386 packages for 6.6 on a 6.5 release. Can anyone confirm this?

Code:
$ uname -mr
6.5 i386
Code:
$ cat /etc/signify/openbsd-66-pkg.pub  
untrusted comment: OpenBSD 6.6 packages public key
RWSS4lqHZ5ayOFMBPj3leAkE9tCsSWG9OxD6MmAIS5Y3H3tD6F4vP/eF
Code:
$ ftp https://cdn.openbsd.org/pub/OpenBSD/...upobsd-1.1.tgz
Trying 151.101.130.217...
Requesting https://cdn.openbsd.org/pub/OpenBSD/...upobsd-1.1.tgz
100% |**************************************************| 11185       00:00    
11185 bytes received in 0.02 seconds (699.95 KB/s)
Code:
$ signify -C -p /etc/signify/openbsd-66-pkg.pub -x SHA256.sig upobsd-1.1.tgz 
signify: verification failed: checked against wrong key
Neither the release files (for both i386 and amd64) nor the stable packages (i386 and amd64) or the amd64 packages for that matter give me such an error. Verification only fails for i386 release packages. (I haven't tested other architectures)

Reply With Quote
  #2   (View Single Post)  
Old 24th October 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

Packages are not included in a release's SHA256.sig file. Review the file contents.

Instead, the header within each package tarball contains the package signature. pkg_add(1) is used to check signatures for validity.


Edited to add: see pkg_sign(1). The signature is stored in the gzip(1) comment at the head of the tarball.
Reply With Quote
  #3   (View Single Post)  
Old 24th October 2019
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 207
Default

Good catch, mate! Take a look a this! Apparently the signature file in the 6.6 package directory for the i386 architecture uses the 6.5 public key whereas the one in the amd64 directory uses the newer 6.6 public key. Weird.

/pub/OpenBSD/6.6/packages/i386/SHA256.sig
https://cdn.openbsd.org/pub/OpenBSD/...386/SHA256.sig

Code:
untrusted comment: verify with openbsd-65-pkg.pub
RWS5D4+188RI6h0taiwVO5j055UMwmNf7zKqzkT/lDY30Mvtv7jeEU1wVnG+3HmuT1cAXfmkcvwci/FDfkiN75gFFE3zlkg63gA=
SHA256 (0ad-0.0.23bp0.tgz) = 7YRlebcdDUsI+IS5o8YZaVIm7vrcOK5SlSdGd4e4wWI=
SHA256 (0ad-data-0.0.23b.tgz) = hDSAoCdjiClZfDrWSI7I6jElZ+bKprjc3geHXFigir4=
SHA256 (1oom-1.0.tgz) = P3qU/Ep395fhIBdhkUvh35nb5/sgsWjMIMM/aEtL+ww=
SHA256 (2048-cli-0.9.1.tgz) = B/g4FNnjaq8GvcA7jFMFU9tp1pUvcD8WQdqpi/IryEw=
SHA256 (2bwm-0.3.tgz) = sAQGyrJddPWQQyAUnwHvZ9yHHZFXqNn+tWwJirY8HA8=
(...)
/pub/OpenBSD/6.6/packages/amd64/SHA256.sig
https://cdn.openbsd.org/pub/OpenBSD/...d64/SHA256.sig

Code:
untrusted comment: verify with openbsd-66-pkg.pub
RWSS4lqHZ5ayOKb00PkyiEvhSmAO/sc4P2xuPedd2a2lrfsHTQqDsHvPeqSfEyWKTEYJYpXjYtUf9kqaqmgFdvuF5SURkuKL4w8=
SHA256 (0ad-0.0.23bp0.tgz) = LhD0l0aLeqPBybgDZAp1Fb5vTwmXDFoL3i2uNfQH33A=
SHA256 (0ad-data-0.0.23b.tgz) = BxhNq1Wyv6OSIaUnAN/LxbPLQKKnUzbUdN2T8FIroek=
SHA256 (1oom-1.0.tgz) = a5pv1TTnASXCplZUaNM+9YpQTwXRkcw1u9XkF+LfUys=
SHA256 (2048-cli-0.9.1.tgz) = UXJa6UZrIg5gA32MFF5ArBKT/k4n1XBHT0tepG3wYow=
SHA256 (2bwm-0.3.tgz) = STiKPdyYR+43FBZYKSC/LSKnK85/Z3piaATEJcgt99I=
(...)
Reply With Quote
  #4   (View Single Post)  
Old 24th October 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

I spent about 10 minutes playing with pkg_add -D SIGNER= and could not get it to fail, so I extracted the signify message from the gzip comment header in the 6.6/i386 package for upobsd-1.1.tgz, confirming what you see in the package SHA256.sig file stored with the collection.
Code:
untrusted comment: verify with openbsd-65-pkg.pub
RWS5D4+188RI6tcXF+2EEvhE2KaknlwzHYIPEgqnls9+3BACLLxe4++D34iyxhYStsva7nrwylSh0yGGnAsJKypY8gJLsft0ZgQ=
date=2019-10-11T14:55:13Z
key=/etc/signify/openbsd-65-pkg.sec
algorithm=SHA512/256
blocksize=65536
You may wish to bring this to the attention of the Project via the ports@ mailing list.
Reply With Quote
Reply

Tags
openbsd 6.5, signify

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD laptop hardware verification jjstorm OpenBSD Installation and Upgrading 7 25th February 2016 01:56 AM
Continue without verification? cravuhaw2C OpenBSD Installation and Upgrading 27 13th July 2014 11:12 PM
Security cURL goes wrong J65nko News 0 8th February 2013 03:30 PM
BBC activates iPlayer Flash verification - Locking out open source J65nko News 0 25th February 2010 08:51 PM
Copy w/ active verification Weaseal FreeBSD General 4 5th February 2009 12:23 AM


All times are GMT. The time now is 08:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick