On Sat, Dec 12, 2015 at 12:46:24PM +0100, Landry Breuil wrote: > Hi, > > Thx to letsencrypt, i switched my server to full-https, and while here > setupped a signify key for the packages i build. That still means that > you need to trust me (and who am i to be trusted?), the root CA that > trusts letsencrypt, and upstream mozilla, but that was a nice > experiment, and somewhat requested. That doesnt mean i endorse all the > fluff and wanking around privacy/trust/whatnot... > > Note the difference, since the server now uses HSTS, if you still use a > PKG_PATH pointing to http:// pkg_add might spew warnings when scanning > the repo: > > Error from http://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz > Redirected to https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz > Requesting https://rhaalovely.net/stuff/i386/firefox-43.0rc1.tgz > > The git/cgit repo is now accessible over https if you want to build > packages yourself: > > https://cgit.rhaalovely.net/mozilla-firefox/?h=release > git clone -b release https://git.rhaalovely.net/git/mozilla-firefox > > The key & packages are on the same server: > $doas ftp -o /etc/signify/landry-mozilla-pkg.pub > https://rhaalovely.net/stuff/landry-mozilla-pkg.pub > $PKG_PATH=https://rhaalovely.net/stuff/i386/ doas pkg_add firefox > (or) > $PKG_PATH=https://rhaalovely.net/stuff/amd64/ doas pkg_add firefox > > And you can check that the package/PLIST is effectively signed by this > key: > > $pkg_info -f /var/db/pkg/firefox-43.0rc1 |grep sign > @signer landry-mozilla-pkg > @digital-signature > signify:2015-12-12T11:16:08Z:RWRh/RSo0GgoYkXCBR/rv1w+zIm3snIJ8vxil57GUaLunfMCjtwhrYtcW/HPH4x43KxrFn+vYYuekCwbc7jD1ZSEiI71HuMe2Ag= > > Landry
To go full circle, could you sign your server's SSL certificate (or the fingerprint thereof) with your signify key? :)
