I’ve been building a few packages for OpenBSD, and being a lazy sort, I thought I’d set up an anonymous FTP server (ftpd(8)) via which the machines I’m working on (the builder and the pristine test candidate) can talk to each other easily. A Web server or an SSH server would have been equally suitable, as the OpenBSD package tools support the HTTP, HTTPS, and SCP URL schemes as well.

useradd -k '' -c FTP -d /home/ftp -s /sbin/nologin -m ftp
rcctl enable ftpd
rcctl start ftpd

A tiny shell script I call pamp, uploads the package I’m currently building from the port directory directly to the FTP server.

#!/bin/sh

packagedir=`make show=_PKG_REPO`
dist="`make show=DISTNAME`.tgz"
tgz="${packagedir}${dist}"

curl -s --upload-file $tgz ftp://localhost/${dist}

On the test system I set up TRUSTED_PKG_PATH so that pkg_add automatically obtains the packages and waives checking their signatures:

export TRUSTED_PKG_PATH="ftp://192.168.33.123/"

I was told off for using $TRUSTED_PKG_PATH with unsigned packages; rightly because OpenBSD makes it trivial to sign and verify them.

I create a private and public key pair, sign the packages, and distribute the public key to the machines which will verify the signatures on the packages.

# create a public and a private key
$ doas signify -G -c "JP's local signer" -p /etc/signify/jp2-pkg.pub -s /etc/signify/jp2-pkg.sec -n

# sign my packages
$ pkg_sign -s signify2 -s /etc/signify/jp2-pkg.sec -v -o out/ -S .

# copy public key /etc/signify/jp2-pkg.pub to target system

# on target system, install packages; the signatures on these
# are automatically verified
$ export PKG_PATH="ftp://192.168.33.123/out"
$ doas pkg_add perp
perp-2.07: ok

I read my way through the documentation of signify(1) before finding the procedure well documented (as most things are in OpenBSD) in package signatures.

(FWIW, signify has been ported to Linux.)

Let’s build!