How to add custom fingerprint to OPNsense core package?

[Maurice]

I'm trying to build the OPNsense core package with my own fingerprint added to the trusted fingerprints:

Code Select Expand


cd /usr/tools
make clean-core
make fingerprint > /usr/core/src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
echo "/usr/local/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint" >> /usr/core/plist
make core


The resulting OPNsense pkg doesn't include my fingerprint though. What might I be doing wrong?

Cheers
Maurice

[Monviech (Cedrik)]

I'm really unsure here.

What I use is a private/public key pair for the repository.
When I pkg my repo I put all .pkg files into the folder of the repo and then sign it with my private key every time, like this:

pkg repo . /src/private.key

The fingerprint would then be a hash of the public key. I offer the public key in my repo, and I could offer a hashed fingerprint of it too.

The repo.conf then would include the hashed public key as fingerprint as a requirement to connect to the repo, and would warn people if it's not the same.

Maybe that helps? I don't know. Maybe your fingerprint is something else? I'd like to know that too if it could make packages more secure.

[franco]

> What might I be doing wrong?

Commit the changes in order for the build to accept them :)


Cheers,
Franco

[Maurice]

Thanks Franco, you put me on the right track. This is what works for me:

Code Select Expand

cd /usr/tools
make clean-core
make update-core VERSION=23.7.10
make fingerprint > /usr/core/src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
cd /usr/core
make plist-fix
git add -f src/etc/pkg/fingerprints/OPNsense/trusted/myfingerprint
git commit -a -m "add custom fingerprint"
git tag -f -m "stable release" 23.7.10
cd /usr/tools
make core

Rewriting the tag is required to prevent the commit from changing the OPNsense version (make core VERSION=23.7.10 doesn't seem to be supported).

Cheers & happy holidays
Maurice