I'm trying to build the OPNsense core package with my own fingerprint added to the trusted fingerprints:
cd /usr/tools
make clean-core
make fingerprint > /usr/core/src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
echo "/usr/local/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint" >> /usr/core/plist
make core
The resulting OPNsense pkg doesn't include my fingerprint though. What might I be doing wrong?
Cheers
Maurice
I'm really unsure here.
What I use is a private/public key pair for the repository.
When I pkg my repo I put all .pkg files into the folder of the repo and then sign it with my private key every time, like this:
pkg repo . /src/private.key
The fingerprint would then be a hash of the public key. I offer the public key in my repo, and I could offer a hashed fingerprint of it too.
The repo.conf then would include the hashed public key as fingerprint as a requirement to connect to the repo, and would warn people if it's not the same.
Maybe that helps? I don't know. Maybe your fingerprint is something else? I'd like to know that too if it could make packages more secure.
> What might I be doing wrong?
Commit the changes in order for the build to accept them :)
Cheers,
Franco
Thanks Franco, you put me on the right track. This is what works for me:
cd /usr/tools
make clean-core
make update-core VERSION=23.7.10
make fingerprint > /usr/core/src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
cd /usr/core
make plist-fix
git add -f src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
git commit -a -m "add custom fingerprint"
git tag -f -m "stable release" 23.7.10
cd /usr/tools
make core
Rewriting the tag is required to prevent the commit from changing the OPNsense version (make core VERSION=23.7.10 doesn't seem to be supported).
Cheers & happy holidays
Maurice