pkg: HTTPS by default

Cath O'Deray

Cath O'Deray

Users of 13.2-RELEASE⋯, stable/13, 14.0⋯, and 15.0-CURRENT can use HTTPS.

Example​

/usr/local/etc/pkg/repos/FreeBSD.conf using HTTPS and latest, /etc/pkg/FreeBSD.conf using HTTPS:

Code: 
root@freebsd:~ # cat /usr/local/etc/pkg/repos/FreeBSD.conf
FreeBSD: {
  url: "pkg+https://pkg.freebsd.org/${ABI}/latest"
}
root@freebsd:~ # grep -v \# /etc/pkg/FreeBSD.conf

FreeBSD: {
  url: "pkg+https://pkg.freebsd.org/${ABI}/quarterly",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}
root@freebsd:~ # freebsd-version -kru ; uname -KU
13.2-RELEASE-p4
13.2-RELEASE-p4
13.2-RELEASE-p4
1302001 1302001
root@freebsd:~ # pkg update -f
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01 
Fetching packagesite.pkg: 100%    7 MiB   3.5MB/s    00:02 
Processing entries: 100%
The provides database is up-to-date.
FreeBSD repository update completed. 34198 packages processed.
All repositories are up to date.
root@freebsd:~ # pkg -vv | grep -A 15 epositories
Repositories:
  FreeBSD: {
    url             : "pkg+https://pkg.freebsd.org/FreeBSD:13:amd64/latest",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }
root@freebsd:~ #

Note, the pkg+https parts of the URLs – with an s.

For convenience, /usr/local/etc/pkg/repos/FreeBSD.conf alone:

Code: 
FreeBSD: {
  url: "pkg+https://pkg.freebsd.org/${ABI}/latest"
}

Background​


On the releng/13.2 branch:

github.com

caroot: add new certs · freebsd/freebsd-src@902c13c

Based on dates, these were likely just missed in the last update... add them now. - Twenty (20) new Approved by: so Security: FreeBSD-EN-23:11.caroot (cherry picked from commit ee0aa1ce12b3caea3...
github.com github.com
  • cherry-picked from commits on main and stable/13.
On the main branch:

github.com

pkg: use https by default · freebsd/freebsd-src@d557a86

Switch the repository to use https by default, base is providing a CA root bundle suitable to validate the certificates used by the project. This can now be activated without requiring another pack...
github.com github.com

d557a86c879a can be cherry-picked to:
  • stable/13
  • stable/14
  • releng/14.0.
 
PR merged.


Now, for FreeBSD 13⋯, 14⋯ or 15⋯ to use latest packages of ports – if not previously switched to latest:

mkdir -p /usr/local/etc/pkg/repos
echo 'FreeBSD: { url: "pkg+https://pkg.freebsd.org/${ABI}/latest" }' > /usr/local/etc/pkg/repos/FreeBSD.conf

If previously switched:

sed -i -e 's|'pkg+http://pkg.FreeBSD'|'pkg+https://pkg.freebsd'|g' /usr/local/etc/pkg/repos/FreeBSD.conf

Also, for the file that is normally not modified, you can:

sed -i -e 's|'pkg+http://pkg.FreeBSD'|'pkg+https://pkg.freebsd'|g' /etc/pkg/FreeBSD.conf

(Run as the superuser.)
 
You must log in or register to reply here.
Back
Top