Poudriere ssl broken with 12.0?

Datapanic · Dec 15, 2018

#create ssl certificate and key:
mkdir -p /usr/local/etc/ssl/{keys,certs}
chmod 0600 /usr/local/etc/ssl/keys
openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096
openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert

Doesn't seem to work after building a ports tree.

When the session ends, I get:

pkg-static: can't load key from /tmp/repo.key

This setup is a copy of the same thing from 11.2 -p6, which works.

Is there an "issue" with SSL in 12.0-RELEASE?

rigoletto@ · Dec 15, 2018

This look like a name mistach between the certificate name which pkg(8) is looking for and the actual name of the certificate.

Datapanic · Dec 15, 2018

I did some more digging and it looks like, on a NEW install of FreeBSD 12-RELEASE with a new setup of ports-mgmt/poudriere that pkg-static has a problem with openssl 1.1.1 in base. The problem I am seeing is similar to this bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232254

Disabling PKG_REPO_SIGNING_KEY in /usr/local/etc/poudriere.conf will allow the built packages to be added to the repo. Otherwise, the packages get built but the repository fails to get built.

rigoletto@ · Dec 15, 2018

Interesting, I am on 12-RELEASE, have PKG_REPO_SIGNING_KEY set but it works fine; however the keys were already in there - that probably why I didn't experienced it.

Thanks!

Datapanic · Dec 15, 2018

Can you see what happens when you add a new port to build - does the new package get signed?

rigoletto@ · Dec 15, 2018

I will have look, but I've rebuilt all ports since the poudriere jail was new and pkg is configured with signature_type: "pubkey".

EDITED

rigoletto@ · Dec 16, 2018

How are you testing it? I've never had the curiosity to know how the singing is done but I dig a bit around IRC (#poudriere) yesterday, and it seems poudriere just sign the metadata and not the package it self. I still would need check it out later.

Datapanic · Dec 16, 2018

You're right, just the metadata is signed. There's file /usr/local/share/poudriere/common.sh that has the task.

Code:

        # Sign the ports-mgmt/pkg package for bootstrap
        if [ -e "${PACKAGES}/Latest/pkg.txz" ]; then
                if [ -n "${SIGNING_COMMAND}" ]; then
                        sign_pkg fingerprint "${PACKAGES}/Latest/pkg.txz"
                elif [ -n "${PKG_REPO_SIGNING_KEY}" ]; then
                        sign_pkg pubkey "${PACKAGES}/Latest/pkg.txz"
                fi
        fi