[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [renamed] Debian crda?

Hi Luis, Paul,

On Friday 27 March 2009 14:00:20 Luis R. Rodriguez wrote:
> On Wed, Mar 25, 2009 at 9:59 PM, Paul Wise <pabs@debian.org> wrote:
> > On Thu, Mar 26, 2009 at 1:19 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> >
> >>> Brainwave: no need to add a second public key to CRDA itself, the
> >>> wireless-regdb could install the public key corresponding to the
> >>> private key it was built with.
> >>
> >> Can you elaborate on what you mean? Do you mean for wireless-regdb to
> >> put the actual pubkey into the users' system somewhere? Otherwise not
> >> sure what you mean.
> >
> > The crda package would contain the default upstream public key.
> >
> > The wireless-regdb would ship the Debian maintainer's pubkey as
> > debian/pubkeys/debian.pem in the source package and
> > /lib/crda/pubkeys/debian.pub.pem (or similar) in the binary package.

And all other pubkeys of members of packaging maintenance group.

> >
> > Ubuntu would add their pubkey in a similar way.

Ubuntu probably cannot build and sign their own regulatory.bin: AFAIK they
do source only uploads and package is built on remote buildd (with no access
to privkey for signing). They seem to just install linvilles pre-compiled
presigned regulatory.bin in the Ubuntu wireless-crda package and be happy
with that.

> >
> > When wireless-regdb is built, it would:
> >
> > check the sha1sum/sha256sum of db.txt (alternatively upstream could
> > add a detached signature if possible to the tarball/git repo)
> >
> > if the db.txt is identical to the upstream one (or signed by
> > upstream), ship the upstream regulatory.bin file
> >
> > if the db.txt has been modified:
> >
> > if no private key is available, generate one automatically

I would rather the build process fail if the packager has not prepared
themselves a priv/pub key pair for maintaining wireless-regdb package or
else we could end up with a new key pair created on-the-fly and being used
to sign a regulatory.bin which is not recognised by the currently available
crda until it is recompiled with the new key in its PUBKEY_DIR.

Instead the debian packaging could provide some documentation/convenience
code for expected handling of maintainer priv/pub key pairs for signing
and authentication of regulatory.bin. Attempted to write such stuff here:

$ svn cat svn://svn.debian.org/svn/pkg-wpa/wireless-regdb/trunk/debian/README.maintainer
Add to debian/pubkeys all public keys which crda should consider when
verifying regulatory.bin. This should include all members of the pkg-wpa-devel
team who plan to work on or upload wireless-regdb or crda.

To generate an openssl key pair for packaging purposes:
make -f debian/rules install-distro-key

This should create:

Copy the pubkey to debian/pubkeys and commit it to the VCS:
cp ~/.wireless-regdb-pkg-wpa-devel.key.pub.pem \
svn add debian/pubkeys/pkg-wpa-devel-${USER}.pub.pem

When new keys are added to debian/pubkeys, the crda package needs to be
rebuilt with an updated versioned build dependency: the wireless-regdb
package version with the new key(s).

When building this package, the private key must be accessible so that
regulatory.bin can be signed by it to ensure the path of authentication
for the regulatory domain database is as good as possible. It does however
mean that the package cannot be built in a clean chroot (eg. pbuilder)
without having your ~/ bind mounted in it.

> >
> > rebuild the regulatory.bin file using the private key
> >
> > create the corresponding public key and install it in the package as
> > /lib/crda/pubkeys/custom.pub.pem when it is not the same public key as
> > one of the ones in debian/pubkeys/*.pem (avoids shipping two copies of
> > the Debian pubkey)

The pubkeys are small enough to not bother adding code and worry about having
a duplicate key in /lib/crda/pubkeys/ I think. At least at this stage it is
least of packaging worries.

> >
> > this scheme requires standard locations for the private key. I would
> > suggest either ~/.debian-wireless-regdb.priv.pem or
> > debian-wireless-regdb.priv.pem in the package build directory.
> >

Luis added some support code to handle this in wireless-regdb Makefile

> >>>> It is possible for users to add more public keys to the CRDA  pubkeys
> >>>> dir and build their own wireless-regdb using their own private key.
> >>>
> >>> The above simplification makes this much easier.
> >>
> >> Not sure what you mean, but the idea with the pubkeys directory
> >
> > The above scheme would allow users who apt-get source wireless-regdb,
> > edit db.txt, debuild, debi to automatically trust their own key, as
> > well as trusting Debian's key and the upstream key.

Made an attempt at packaging wireless-regdb and crda after thinking about
stuff discussed in this thread, the proposed packaging is at:

Can people please take a good look at this please to make sure it is a viable
packaging effort?

Thanks, Kel.

Reply to: