2013-11-29

XBPS 0.27 released

The latest XBPS stable version for 2013 is finally out: 0.27. This release contains a big feature: RSA signed repositories. The official Void repositories have been signed with a 4096bit RSA key specifically for this purpose.

The OpenSSH hexadecimal fingerprint of the RSA Void key is the following: 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d.

After upgrading to that version you should be able to print repository details via xbps-query(8), i.e (Raspberry Pi output):

$ xbps-query -vL
 1783 http://xbps.nopcode.org/repos/current (RSA signed, verified)
      Signed-by: Void Linux
      4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
    2 http://xbps.nopcode.org/repos/current/nonfree (RSA signed, verified)
      Signed-by: Void Linux
      4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d

Installing or updating packages from remote repositories will trigger a signature verification, i.e:

# xbps-install -Syu
[*] Updating `http://xbps.nopcode.org/repos/current/armv6l-repodata' ...
[*] Updating `http://xbps.nopcode.org/repos/current/nonfree/armv6l-repodata' ...
[*] http://xbps.nopcode.org/repos/current: RSA signature verified
[*] http://xbps.nopcode.org/repos/current/nonfree: RSA signature verified

External RSA public keys can be imported via xbps-install -S; just make sure to verify the validity of their fingerprint before accepting them blindly.

Release notes:

  • libxbps: make sure that base symlinks in the root directory are never removed, due to /usr switch in Void. This will also be harmless in other systems.

  • The testsuite now contains more tests than ever and will be extended as new issues appear.

  • Fixed issue #20

  • Fixed issue #19

  • Fixed issue #18

  • Fixed issue #6

  • xbps-rindex(8): also understands the XBPS_PASSPHRASE environmental variable to supply the passphrase when signing repositories.

  • xbps-rindex(8): added -v –verbose option.

  • Support for RSA signed repositories. A repository can be signed with your preferred RSA key (any ssh key works) as follows:

    $ xbps-rindex --sign --signedby "foobar <foo@bar>" --privkey /priv/key /path/to/repo

    If --privkey is not specified, it defaults to ~/.ssh/id_rsa.

    Public keys must be imported before using external remote repositories via xbps-install(8):

    $ xbps-install -S

    Starting from now on all remote repositories must be signed and verified. Local repos do not need to be signed and they will work as before.