# Problems with Poudriere



## green post-it (Jan 25, 2018)

I wanted to create some packages with different options from binary packages, so I set up poudriere.

pourdriere.conf

```
##
## poudriere.conf
##
NO_ZFS=yes
FREEBSD_HOST=ftp://ftp.freebsd.org
RESOLV_CONF=/etc/resolv.conf

# The directory where poudriere will store jails and ports
BASEFS=/poudriere

# The directory where the jail will store the packages and logs
# by default a zfs filesystem will be created and set to
# ${BASEFS}/data
#
POUDRIERE_DATA=${BASEFS}/data

# Use portlint to check ports sanity
USE_PORTLINT=no

USE_TMPFS=no

DISTFILES_CACHE=/poudriere/distfiles

CHECK_CHANGED_OPTIONS=verbose
CHECK_CHANGED_DEPS=yes

SAVE_WRKDIR=yes
KEEP_OLD_PACKAGES=no

BUILDER_HOSTNAME=lrepo.test.local
PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/certs/poudriere.cert

USE_COLORS=yes
```

I create that certs for poudriere using OpenSSL.

I create jail with:
`[I]poudriere jail -c -j R11x64 -v 11.1-RELEASE[/I]`

I create ports tree with
`poudriere ports -c -p HEAD`

create list of ports to build in /usr/local/etc/poudriere.d/buildlist/portlist

run command
`poudriere options -j [I]R11x64[/I] -p HEAD  -f /usr/local/etc/poudriere.d/buildlist/portlist`

poudriere creates options directory with my options

run command
`poudriere bulk -j [I]R11x64[/I] -p HEAD -f /usr/local/etc/poudriere.d/buildlist/portlist`

poudriere successfully build all packages and then reports

```
[00:50:51] Creating pkg repository
Creating repository in /tmp/packages: 100%
Packing files for repository:   0%
pkg-static: can't load key from /tmp/repo.key
Packing files for repository: 100%
[00:50:52] Cleaning up
[00:50:52] Unmounting file systems
```

I check logs and they indicate that all packages were built, but when I goto /poudriere/data/packages/R11x64-HEAD there are 3 directories:
.latest
.real_1516828511
.building

The first two directories are empty and the last has what appears to be packages.  Is .building the "normal" location for packages?  TIA


----------



## asteriskRoss (Jan 26, 2018)

The error is here:


green post-it said:


> poudriere successfully build all packages and then reports
> 
> ```
> pkg-static: can't load key from /tmp/repo.key
> ```





green post-it said:


> poudriere.conf
> 
> ```
> PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/certs/poudriere.cert
> ...


How did you create your signing key?  I suspect that your usr/local/etc/ssl/certs/poudriere.cert doesn't contain what you need.  There is an example in the man page for pkg-repo(8), which boils down to running `openssl genrsa -out repo.key 2048` to create a private RSA key.  This is the file that should be listed as PKG_REPO_SIGNING_KEY.


----------



## SirDice (Jan 26, 2018)

I would try to get things working without signing the packages first. There's no requirement for the packages to be signed. Once everything works you can look into signing them.


----------



## asteriskRoss (Jan 26, 2018)

green post-it, I see that was your first post. Welcome to the forums 

Adding to SirDice's post, perhaps you don't need ports-mgmt/poudriere for your purposes.  If you are building for a single system, perhaps building from ports would be adequate.  ports-mgmt/portmaster is a very helpful tool for building and upgrading ports.  Alternatively ports-mgmt/synth might be an easier option than poudriere.


----------



## green post-it (Jan 31, 2018)

Thank you to the two of you.  I was able to compile the packages with Poudriere without any further problems.  

@ astreriskRoss,  I am trying to learn how to use Poudiere.  It is quite the nifty piece of software!


----------



## Simon Wagner (Feb 4, 2019)

Sorry for hijacking/resurrecting this thread, but this sounds quite familiar. I'll elaborate on my journey:

I created key and cert:
`openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096`
`openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert`

I put the key into poudriere.conf:

```
PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
```

I put the cert on the client:
   #Making our local server the only source, putting the current FreeBSD version into the path

```
myRepo: {
     url: "pkg+http://<IP>/repository/FreeBSD/freebsd_11-2x64-QUARTERLY",
     mirror_type: "srv",
     signature_type: "pubkey",
     pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
     enabled: yes
   }
```
Building, uploading to Webserver, pkg installing.. all work like a charm. Much easier than expected.

Then I tried verifying my setup. I fiddled with the certificate on the client, turning a b into a B. This should invalidate the key/cert combo.

BUT... pkg still installs like nothing happened.

I'm very very very sure that I have something misconfigured. But crosschecking with about every tutorial I can find, it does not look like I made a mistake.

How can I check whether poudriere signs the packages in the first place? Can I look for something in the log?
How can I monitor whether pkg checks the signatures?

Following the 'example' in the first post, I renamed poudriere.key to poudriere.ke, and got an error message.

```
[00:00:00] Starting jail freebsd_11-2x64-QUARTERLY
   [00:00:01] Error: PKG_REPO_SIGNING_KEY defined but the file is missing.
```
So that part of the config seems ok.

When I re-renamed the file, the bulk build went through. Nothing in the output contained {key|cert|sign}. Should it? Or is this quietness expected?

Thanks for pointing me in the right direction.

best regards
simon


----------



## Datapanic (Feb 4, 2019)

There is a bug on FreeBSD_12.0-RELEASE and poudriere with a Fresh install of the OS and poudriere in which it fails to sign the key.

The only work-around I have found is to disable SSL or to create a poudriere install with FreeBSD_11.2-RELEASE and then upgrade to 12 later.


----------

