From 9affcaa0216436436cddd0a5e598816c28147c95 Mon Sep 17 00:00:00 2001 From: Xavier Beaudouin Date: Tue, 12 May 2026 08:16:01 +0200 Subject: [PATCH] Test signing packages --- poudriere/poudriere.d/poudriere.key | 52 +++++++++++++++++++++++++++++ poudriere/poudriere.d/poudriere.pub | 14 ++++++++ poudriere/sign.txt | 29 ++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 poudriere/poudriere.d/poudriere.key create mode 100644 poudriere/poudriere.d/poudriere.pub create mode 100644 poudriere/sign.txt diff --git a/poudriere/poudriere.d/poudriere.key b/poudriere/poudriere.d/poudriere.key new file mode 100644 index 0000000..0f5a157 --- /dev/null +++ b/poudriere/poudriere.d/poudriere.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDEvoH/E1GSpRJp +4tYqLqLGX6stejSmIdf9OtEQaQlewHLfutUyTZYaXki/nKrUM2P5Xabpd9vNkHqd +q0g39nLOx73vsDgeVeSlKXmzTkz1VVr9HDtFHuFn3nvAzSq1VmA8r53O87iQDvDg +mbu0iG8fikemA2KvWZcNrQCYvhYyzHfBAIpGJbdQSR47L5UT6KRHIyV8EbHwXb7e +zyq6WVrXp1yk5VX8WMSquqagdOuiA+SHdoxlFwA+t8BWn2QBAi0HddAIGFBrD7ah +BJqbi3sgIx7+eFFbS92avqj0b/+eJ1a0yLMTM/5dxwSC4UIT4aJysSEx3ZP8iYUj +ROgqDOPy+VNaZyyGqIesC0pR3zlrdMyz36g7IJkGRVXDVpLAwsXKpdj6ft4PSub6 +cJpnn+hTb8cE68jTwVqNe57rDiLJZI/qAWRsvwEfjm+jVJ0ngtFomcbnXCOTBMl0 +IQ3IuG4kLUvAueFoCPlAEzjuTw/sFu66yl/dAApMk4WiJGdzT4sSu8jONcqjEz2Q +FheWkaUKRmlMP9uXEQ31ChBNcnFZyNJahSou67ks2XX38krfrQ4DJHgO+EGW6yHc +c3L7jtuHp4qyn5x7iYyVpaDj87K1GspbENyRRer2rXtwGLEEtwyjCUHXVpQb/j7b +Lbry/QJZ/so9LMomQzJIfNCe8+pIrQIDAQABAoICADAfL8Ex2rctYIBdLwiAwSgX +wND+DdAfwYpq/zVOF7BhDofqFRj5cLAw5QbW/VKrYjXdYgTDYBQa1V7oxOCJS2IH +6Y1tkwBafnMmXqHMklbEgp2bsOSSbcwf1zGcjShvANl/E/CJXNiBiwnImGiLIXD7 +u9Qfilz84w1Bhj6V6eyRZe4jYW7QbVK6G6aa2BIXSk0rC9FZq6Xw7A1n6xnK3sUW +JrsfbAVtuebPgg+HoZXOcXBvvt2//zuX6rfVQxrbCyQCvTgpqEvTe1ZNf7pxZpOA ++6T+zVlxCDpADafCGCn5EcRkvaZCBqKt2czgZ27g9sCqUgX2Hir8AQBUK5wTbJJ0 ++oyvp4wbcY0Xc6RZHlyFQOlTSoZMYsZ0dmEM7zE1aALWMbvXhWOKbnHzWQfm2zKR +xVKTv0moP5fDYvTCC/QROhj4N8KwD/KSzbFjRtDQGlrmohh8g8XfgnYvAYqJjMZS +zxRQYWCD/FUYxxoHZsMbAvaiJbyyLxkTDtaunomkHv3CMED2iSxpsXz+aygLzzZj +YdzVw3KG6JhbeVdlKxEPYpZxxaGVL1t389pCw+jn0c3vv4tnmrKA2/IYIGjNOcX8 +nVDQDukDDwUYQye5Q0h0rtylgr/v+1usMvObaPqvxtVWw6Xmxk4LXlbEdIzbuQoL +2XBWHpXosIHtEGG26/PxAoIBAQDkuHOjjeI7JPJFK3qWcSLJUF/PavQisCL9JjtK +3WLfzkx+TDvdqUGmP8JxOvJfPxI4oP8g1kJ95gzWsM1iwmjenmBw0sYPzXeiqfOn +Xy3wphRDqjBF4jP9VhfD1tbt2v0Jusn01UCnvJG/VIx0I9cP4wYnIMCbv4horM5P +Ji4EouCsYrnEkJmCRwn1/ltyeHoGIC8wLVjLPXB1KdnlyUT+7PDVVGgq3XGSyX6L +oShNz+AeS5TdufBEru8PFvo7EbSSod5sEy49H2V3ueEwV2kV0uAMpHxyrlSarVhZ +9uumeoR1/sL//E/QxfulwjqawmRMotbtN2t1SJGmHjxTdWBxAoIBAQDcNbgLMukR +W7THdlVepHG8VNgy0UXPvAF9cPk57Th5fcqLkAzHw0wfdQOUDX+YXEl8C9BUv9z9 +eB6ebT2/71NPFDGbcvQlregNwLVb0HHyzYouMccx+cUnmftdcEkB94Ig33Gthi9B +YPK+I68C+6k7SJL5eObmhnN/teiXUpYYh9MdIxLyzLKO5HVhy0O00+KcyiJXZxtc +JJ8LF9+h36yXVvwBSleLBwI1DKLRcRIlyD5xvPAbGF9GJRKkQKYx0HkH6a40uwU3 +kZwqfyj9RdhoK0+WV03a+1HwAwJsQkd2XXzJWH4z4NIYiXXMjQwkyCJd2990O4T3 +0gMu/eFj5gn9AoIBABKA8aoLsn/Cb281I0fEg2HyBK5NIs8jnNEKJMXbv0IH+JxH +Ipi+NrdydRKgCDe4bIr0S2+mpd51nBhKWXNh8wX/niHCi49/uewI/9NMmfTcGsuW +my0sLbSTIH0RhnXbv5jn6arLDd4EHW5zMqG6vI1menrz5WE0T57YTCCPIC3z12Va +31iNsj2d7apfF5rdMFIKjIbDRGm84Lo51o0GiXRuStWXbI37OFL9xiUZtp8E8EbD +Kpn9jvifhmucGkZpGki6m7n2m0kKnzTebt9wUuoXE1UygXbtr56L45fzqADh7JF3 +OONo0DQ9sCwq2H7otyCUE/tA/oqQgmgEDjFaT6ECggEBANvbZl0H/1qtTNi4dJOB +a2y06QYTmrfE5Vfwq2QCTBhAVzDwKVJo0l+13FS9BV+BBH0s7lsvE9ydSTSzrKss +ruiNKNoi80+LSdwxQuDgRGQ+gm+Mk2x6CzV2r1ii+sFT9EAN1tmA1z1XJgRgbCN2 +T4g49UTOSPpv0nD3lbk/Y0wqj8TPd+OiK8QupGN3Jaoswlv4FEFfWBmvFntk4ooj +X5XZ6tD/AFh2LuX4L7ccRRojyvSTxsXGl5jY+ruzMDscATq9PIi5EIRihKCJRMta +KK4YT+WyVLEFqtEOsCSWJ/Mtc6EzEQ2KsTh+RXZsfGtcxbMgCwFpS2CB9Vu9boLm +8aECggEBAN/3tpASUlXUFNOwvabdxN7OKkqtylt8EhYOYuhM0YMw+Wn3UDDUuE+e +X/m68uC314Cwclt3Nh7Epp+vA4uaC0qAeLMQfIQoTpye0V2t77vVKyYMcWieQo8X +8UAxD6dcymxxcRAmBOuixuDN1vZuYn1sBAIqcK1Hj8hqytcvUf4rC3R9a4yRlDOG +Rv9lrT1RX8NYgd7nkOQwhcdG/9zuNTCdcNqsixle+IHIEaJshh47OAjSKu4BoLm+ +G+49IuAxQVY1RZU1GbSKyLqJ/rJd9jNQyI8p7uY0v4f0kDSAaQnQ+LJR1r4Lh8pK +dLO7T6yKN3qaUVddnkuWhcwyxbv1Xgs= +-----END PRIVATE KEY----- diff --git a/poudriere/poudriere.d/poudriere.pub b/poudriere/poudriere.d/poudriere.pub new file mode 100644 index 0000000..efffb9d --- /dev/null +++ b/poudriere/poudriere.d/poudriere.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxL6B/xNRkqUSaeLWKi6i +xl+rLXo0piHX/TrREGkJXsBy37rVMk2WGl5Iv5yq1DNj+V2m6XfbzZB6natIN/Zy +zse977A4HlXkpSl5s05M9VVa/Rw7RR7hZ957wM0qtVZgPK+dzvO4kA7w4Jm7tIhv +H4pHpgNir1mXDa0AmL4WMsx3wQCKRiW3UEkeOy+VE+ikRyMlfBGx8F2+3s8qulla +16dcpOVV/FjEqrqmoHTrogPkh3aMZRcAPrfAVp9kAQItB3XQCBhQaw+2oQSam4t7 +ICMe/nhRW0vdmr6o9G//nidWtMizEzP+XccEguFCE+GicrEhMd2T/ImFI0ToKgzj +8vlTWmcshqiHrAtKUd85a3TMs9+oOyCZBkVVw1aSwMLFyqXY+n7eD0rm+nCaZ5/o +U2/HBOvI08FajXue6w4iyWSP6gFkbL8BH45vo1SdJ4LRaJnG51wjkwTJdCENyLhu +JC1LwLnhaAj5QBM47k8P7Bbuuspf3QAKTJOFoiRnc0+LErvIzjXKoxM9kBYXlpGl +CkZpTD/blxEN9QoQTXJxWcjSWoUqLuu5LNl19/JK360OAyR4DvhBlush3HNy+47b +h6eKsp+ce4mMlaWg4/OytRrKWxDckUXq9q17cBixBLcMowlB11aUG/4+2y268v0C +Wf7KPSzKJkMySHzQnvPqSK0CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/poudriere/sign.txt b/poudriere/sign.txt new file mode 100644 index 0000000..91adfe4 --- /dev/null +++ b/poudriere/sign.txt @@ -0,0 +1,29 @@ +# 1. Générer les clés (une seule fois) +openssl genrsa -out /usr/local/etc/ssl/private/poudriere.key 4096 +openssl rsa -in /usr/local/etc/ssl/private/poudriere.key \ + -pubout -out /usr/local/etc/ssl/certs/poudriere.pub + +# 2. poudriere.conf +echo 'PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/private/poudriere.key' \ + >> /usr/local/etc/poudriere.conf + +# 3. Construire (poudrière signe automatiquement) +poudriere bulk -j 14amd64 -p default -f /usr/local/etc/poudriere/pkglist + +# 4. Distribuer la clé publique aux clients +scp /usr/local/etc/ssl/certs/poudriere.pub client:/usr/local/etc/ssl/certs/ + +# 5. Sur le client : /etc/pkg/poudriere.conf +cat > /etc/pkg/poudriere.conf << 'EOF' +poudriere: { + url: "http://build-server/packages/14amd64-default", + mirror_type: "http", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/certs/poudriere.pub", + enabled: yes +} +EOF + +# 6. Vérifier +pkg update +pkg install mon-paquet