2013-11-29
XBPS 0.27 released
The latest XBPS stable version for 2013 is finally out: 0.27. This release contains a big feature: RSA signed repositories. The official Void repositories have been signed with a 4096bit RSA key specifically for this purpose.
The OpenSSH hexadecimal fingerprint of the RSA Void key is the following:
60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
.
After upgrading to that version you should be able to print repository details
via xbps-query(8)
, i.e (Raspberry Pi output):
$ xbps-query -vL
1783 http://xbps.nopcode.org/repos/current (RSA signed, verified)
Signed-by: Void Linux
4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
2 http://xbps.nopcode.org/repos/current/nonfree (RSA signed, verified)
Signed-by: Void Linux
4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
Installing or updating packages from remote repositories will trigger a signature verification, i.e:
# xbps-install -Syu
[*] Updating `http://xbps.nopcode.org/repos/current/armv6l-repodata' ...
[*] Updating `http://xbps.nopcode.org/repos/current/nonfree/armv6l-repodata' ...
[*] http://xbps.nopcode.org/repos/current: RSA signature verified
[*] http://xbps.nopcode.org/repos/current/nonfree: RSA signature verified
External RSA public keys can be imported via xbps-install -S
; just make sure to verify
the validity of their fingerprint before accepting them blindly.
Release notes:
-
libxbps: make sure that base symlinks in the root directory are never removed, due to
/usr
switch in Void. This will also be harmless in other systems. -
The testsuite now contains more tests than ever and will be extended as new issues appear.
-
Fixed issue #20
-
Fixed issue #19
-
Fixed issue #18
-
Fixed issue #6
-
xbps-rindex(8)
: also understands theXBPS_PASSPHRASE
environmental variable to supply the passphrase when signing repositories. -
xbps-rindex(8)
: added -v –verbose option. -
Support for RSA signed repositories. A repository can be signed with your preferred RSA key (any ssh key works) as follows:
$ xbps-rindex --sign --signedby "foobar <foo@bar>" --privkey /priv/key /path/to/repo
If
--privkey
is not specified, it defaults to~/.ssh/id_rsa
.Public keys must be imported before using external remote repositories via
xbps-install(8)
:$ xbps-install -S
Starting from now on all remote repositories must be signed and verified. Local repos do not need to be signed and they will work as before.