XBPS 0.27 released
The latest XBPS stable version for 2013 is finally out: 0.27. This release contains a big feature: RSA signed repositories. The official Void repositories have been signed with a 4096bit RSA key specifically for this purpose.
The OpenSSH hexadecimal fingerprint of the RSA Void key is the following:
After upgrading to that version you should be able to print repository details
xbps-query(8), i.e (Raspberry Pi output):
$ xbps-query -vL 1783 http://xbps.nopcode.org/repos/current (RSA signed, verified) Signed-by: Void Linux 4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d 2 http://xbps.nopcode.org/repos/current/nonfree (RSA signed, verified) Signed-by: Void Linux 4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
Installing or updating packages from remote repositories will trigger a signature verification, i.e:
# xbps-install -Syu [*] Updating `http://xbps.nopcode.org/repos/current/armv6l-repodata' ... [*] Updating `http://xbps.nopcode.org/repos/current/nonfree/armv6l-repodata' ... [*] http://xbps.nopcode.org/repos/current: RSA signature verified [*] http://xbps.nopcode.org/repos/current/nonfree: RSA signature verified
External RSA public keys can be imported via
xbps-install -S; just make sure to verify
the validity of their fingerprint before accepting them blindly.
libxbps: make sure that base symlinks in the root directory are never removed, due to
/usrswitch in Void. This will also be harmless in other systems.
The testsuite now contains more tests than ever and will be extended as new issues appear.
Fixed issue #20
Fixed issue #19
Fixed issue #18
Fixed issue #6
xbps-rindex(8): also understands the
XBPS_PASSPHRASEenvironmental variable to supply the passphrase when signing repositories.
xbps-rindex(8): added -v –verbose option.
Support for RSA signed repositories. A repository can be signed with your preferred RSA key (any ssh key works) as follows:
$ xbps-rindex --sign --signedby "foobar <foo@bar>" --privkey /priv/key /path/to/repo
--privkeyis not specified, it defaults to
Public keys must be imported before using external remote repositories via
$ xbps-install -S
Starting from now on all remote repositories must be signed and verified. Local repos do not need to be signed and they will work as before.