# Poudriere ssl broken with 12.0?



## Datapanic (Dec 15, 2018)

#create ssl certificate and key:
mkdir -p /usr/local/etc/ssl/{keys,certs}
chmod 0600 /usr/local/etc/ssl/keys
openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096
openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert

Doesn't seem to work after building a ports tree.  

When the session ends, I get:

pkg-static: can't load key from /tmp/repo.key

This setup is a copy of the same thing from 11.2 -p6, which works.

Is there an "issue" with SSL in 12.0-RELEASE?


----------



## rigoletto@ (Dec 15, 2018)

This look like a name mistach between the certificate name which pkg(8) is looking for and the actual name of the certificate.


----------



## Datapanic (Dec 15, 2018)

I did some more digging and it looks like, on a NEW install of FreeBSD 12-RELEASE with a new setup of ports-mgmt/poudriere that `pkg-static` has a problem with openssl 1.1.1 in base.  The problem I am seeing is similar to this bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232254 

Disabling PKG_REPO_SIGNING_KEY in /usr/local/etc/poudriere.conf will allow the built packages to be added to the repo.  Otherwise, the packages get built but the repository fails to get built.


----------



## rigoletto@ (Dec 15, 2018)

Interesting, I am on 12-RELEASE, have `PKG_REPO_SIGNING_KEY` set but it works fine; however the keys were already in there - that probably why I didn't experienced it. 

Thanks!


----------



## Datapanic (Dec 15, 2018)

Can you see what happens when you add a new port to build - does the new package get signed?


----------



## rigoletto@ (Dec 15, 2018)

I will have look, but I've rebuilt all ports since the poudriere jail was new and pkg is configured with `signature_type: "pubkey"`.

EDITED


----------



## rigoletto@ (Dec 16, 2018)

How are you testing it? I've never had the curiosity to know how the singing is done but I dig a bit around IRC (#poudriere) yesterday, and it seems poudriere just sign the metadata and not the package it self. I still would need check it out later.


----------



## Datapanic (Dec 16, 2018)

You're right, just the metadata is signed.  There's file /usr/local/share/poudriere/common.sh that has the task.


```
# Sign the ports-mgmt/pkg package for bootstrap
        if [ -e "${PACKAGES}/Latest/pkg.txz" ]; then
                if [ -n "${SIGNING_COMMAND}" ]; then
                        sign_pkg fingerprint "${PACKAGES}/Latest/pkg.txz"
                elif [ -n "${PKG_REPO_SIGNING_KEY}" ]; then
                        sign_pkg pubkey "${PACKAGES}/Latest/pkg.txz"
                fi
        fi
```


----------

