pkg signing/validation issue.

[jgc234]

I've got a problem with package signing (or validation more to the point), but I'm unsure if I've got it right yet..

Using:

• pkgbuild image d11a6444-c732-11e8-ad33-af7cfa11c61b
• instructions from https://github.com/joyent/pkgsrc-legacy/wiki/pkgdev:signing
• using run-sandbox 2018Q3-x86_64 for an env.
• unsure where the gpg2 comes from in the sandbox, so I've done a "pkg_add gnupg2" in the sandbox itself - is that the correct procedure? it wasn't clean in the above instructions. (gnupg2-2.2.10)
• build and signs a package fine, using key from agent.
• key also imported to pkgsrc.gpg and can be seen with --list-keys.

--root@pkgsrc-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> file /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
/data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz: current ar archive, not a dynamic executable or shared object

but, attempting to do a pkg_add results in:

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> pkg_add /data/packages/SmartOS/2018Q3/x86_64/All/digest-20160304.tgz
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
recog_userid: not 13
recog_primary_key: not userid
short pubring recognition???
Ignoring unusual/reserved signature subpacket 33
pkg_add: unable to verify signature: Signature key id 51c870862222c685 not found 
--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--

Interestingly, that key id above is from the middle part of my key, not the end.. I tried both short and long versions of the key - no difference.. using the middle part of the key doesn't actually match it. Is there a problem with the key lengths and/or compatibility and the code embedded in pkg_add vs gnupg2? or have I just stuffed up somewhere?

..............51c870862222c685..........
8860B35B7701C351C870862222C68512FBA0CD5B

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> more /opt/local/etc/pkg_install.conf 
GPG=/opt/local/bin/gpg2
#GPG_SIGN_AS=8860B35B7701C351C870862222C68512FBA0CD5B
GPG_SIGN_AS=FBA0CD5B
GPG_KEYRING_VERIFY=/opt/local/etc/gnupg/pkgsrc.gpg
PKG_PATH=/data/packages/SmartOS/2018Q3/x86_64/All;http://0.0.0.0:8080/packages/SmartOS/2018Q3/x86_64/All

--<root@pkgsrc>-(/data/chroot/dev-2018Q3-x86_64)-</data/pkgsrc/pkgtools/digest>--
-> gpg --no-default-keyring --keyring=/opt/local/etc/gnupg/pkgsrc.gpg  --list-keys
gpg: NOTE: trustdb not writable
/opt/local/etc/gnupg/pkgsrc.gpg
-------------------------------
pub   4096R/FAA66EE0 2015-02-03
uid                  Joyent Package Signing <pkgsrc@joyent.com>
sub   4096R/1B1CF4CC 2015-02-03
sub   4096R/DE817B8E 2015-02-03

pub   4096R/FBA0CD5B 2018-12-06
uid                  xxxxxx pkgsrc key <xxxx@xxxxxxxxx>
sub   4096R/3F0325C9 2018-12-06

Any help would be much appreciated..

[jgc234]

ah, my mistake.. I refreshed the image pkgbuild dir with a git pull, and there's now an older version of gnupg (2.0.30 from gnupg20) pre-installed the tools space in the sandbox. all is good.

[jgc234]

A year later, I think I've finally worked out all the constraints that stop my signed packages working - from https://github.com/joyent/pkgsrc-legacy/wiki/pkgdev:signing

• The version of GPG in the pkgbuild zone itself must be gnupg20
• The version of GPG in the pkgbuild sandbox must be gnupg20. This should be automatic.
• The version fo GPG that is importing the key into the pkgsrc.gpg keyring for the eventual target host doing the pkg_add must also be gnupg20.

The rest of pkgdev:signing works as is.