PKG not quite ready for prime time

[scratc...@att.net]

I'm having quite a lot of trouble converting to pkg due to there
being no obvious source of accurate documentation. I got this
after I thought I had it solved and could install something:

11:36 Fri, 10 Oct [momcat:root]~> pkg install firefox
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s 00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100% 2 MB 119.8k/s 00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
All repositories are up-to-date.
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Updating database digests format: 100%
pkg: No packages available to install matching 'firefox' have
been found in the repositories


Just for the record, could someone knowledgeable please post the
real, current list of required config files and their contents OR
a pointer to known-good+complete documentation?

Thanks!
_______________________________________________
freebs...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-port...@freebsd.org"

[olli hauer]

Please show us the following output
$ pkg info pkg

and from next command everything from "Repositories:" to the end (last ~10 lines)
$ pkg -vv

--
olli

[scratc...@att.net]

[momcat:root]~> pkg info pkg
pkg-1.3.8_3
Name : pkg
Version : 1.3.8_3
Installed on : Fri Oct 10 07:57:56 EDT 2014
Origin : ports-mgmt/pkg
Architecture : freebsd:9:x86:64
Prefix : /usr/local
Categories : ports-mgmt
Licenses : BSD2CLAUSE
Maintainer : por...@FreeBSD.org
WWW : http://wiki.freebsd.org/pkgng
Comment : Package manager
Shared Libs provided:
libpkg.so.3
Flat size : 8.18MiB
Description :
Package management tool

WWW: http://wiki.freebsd.org/pkgng

>
>and from next command everything from "Repositories:" to the end (last ~10 lines)
>$ pkg -vv

Repositories:
FreeBSD: {
url :
"pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest",
enabled : yes,
mirror_type : "SRV",
signature_type : "FINGERPRINTS",
fingerprints : "/usr/share/keys/pkg"
}
13:41 Fri, 10 Oct [momcat:root]~>

[olli hauer]

There is a architecture mismatch, your pkg claims to be a 9.x package and your repo wants to install 8.x packages.
I suspect this is a upgraded system that has maunualy changes in the repo file.

Locate the file "/etc/pkg/FreeBSD.conf" and make sure it looks like the following lines (the variable ${ABI} instead "freebsd:8:x86:64")
(it is possible a correct copy exists in /usr/src/etc/pkg/FreeBSD.conf)

FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}


after fixing the repo run
$ pkg update -f


--
olli

[Auld Besom]

I had it as ${ABI} to begin with, but had no luck that way either
(see below). Then I changed it, unaware that that first 8 was
the version, or even that there are o/s version-dependent
versions of pkg.

14:25 Fri, 10 Oct [momcat:root]/etc/pkg> cat FreeBSD.conf
FreeBSD: {
url: "pkg+http://pkg.freebsd.org/${ABI}/latest",
enabled: true,

signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",

mirror_type: "srv"
}
14:25 Fri, 10 Oct [momcat:root]/etc/pkg> pkg update -f

Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s 00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100% 2 MB 119.8k/s 00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD

14:25 Fri, 10 Oct [momcat:root]/etc/pkg>

[Mark Felder]

On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote:
>
> I had it as ${ABI} to begin with, but had no luck that way either
> (see below). Then I changed it, unaware that that first 8 was
> the version, or even that there are o/s version-dependent
> versions of pkg.
>

Pkg itself is compiled, not interpreted like Yum which is Python, so it
does matter. And you of course want to ensure you're installing packages
built for FreeBSD 9 on your FreeBSD 9 server.

The next error you're seeing is this:

> pkg: Error loading trusted certificates

This is due to your missing certificates in /usr/share/keys/pkg which
are required due to your repository having:

signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",

You could remove those lines to work around that, but you are lowering
the security of your system as you cannot verify the integrity of your
packages anymore. The fix is to populate your /usr/share/keys/pkg. I do
not know why it did not come populated after your upgrade, but that's a
discussion for another day. Let's get your keys:

# mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
# fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
"https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605&view=co"
# chown root:wheel
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
# chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301


If you have problems with fetch because of the https you might have to
use --no-verify-peers but at least compare the certificate and/or ensure
the contents of the key match what's in the repository....

[Mark Felder]

On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
> On 10/10/2014 1:12 PM, scratc...@att.net wrote:
> > On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
> >
> >> find /usr/share/keys/pkg -exec sha256 {} +
> >
> > No such file
>
> That's your problem. You are missing the signature fingerprints to
> compare against. As such Pkg is refusing to do anything to prevent MITM
> attacks.
>
> You are missing this:
> https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>
> freebsd-update can provide it.
>
>

Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)

[Royce Williams]

On Fri, Oct 10, 2014 at 11:55 AM, Mark Felder <fe...@freebsd.org> wrote:
>
>
> On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
>> On 10/10/2014 1:12 PM, scratc...@att.net wrote:
>> > On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
>> >
>> >> find /usr/share/keys/pkg -exec sha256 {} +
>> >
>> > No such file
>>
>> That's your problem. You are missing the signature fingerprints to
>> compare against. As such Pkg is refusing to do anything to prevent MITM
>> attacks.
>>
>> You are missing this:
>> https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>>
>> freebsd-update can provide it.
>
> Ahh, good point. This is better advice. Even if your system was
> supposedly fully up to date freebsd-update would detect this is missing
> and repair it as it was part of an SA. This is better advice than my
> manual creation method :-)

I'm glad that Mark managed to get an answer to this question.

But could pkg be adapted to help uninitiated users to discover this
for themselves on the spot?

Royce

[Michelle Sullivan]

Lars Engels wrote:
> On Sat, Oct 11, 2014 at 12:15:54AM +0200, Michelle Sullivan wrote:

>
>> Mark Felder wrote:
>>
>>> On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
>>>
>>>
>>>> On 10/10/2014 1:12 PM, scratc...@att.net wrote:
>>>>
>>>>
>>>>> On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
>>>>>
>>>>>
>>>>>
>>>>>> find /usr/share/keys/pkg -exec sha256 {} +
>>>>>>
>>>>>>
>>>>> No such file
>>>>>
>>>>>
>>>> That's your problem. You are missing the signature fingerprints to
>>>> compare against. As such Pkg is refusing to do anything to prevent MITM
>>>> attacks.
>>>>
>>>> You are missing this:
>>>> https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>>>>
>>>> freebsd-update can provide it.
>>>>
>>>>
>>>>
>>>>
>>> Ahh, good point. This is better advice. Even if your system was
>>> supposedly fully up to date freebsd-update would detect this is missing
>>> and repair it as it was part of an SA. This is better advice than my
>>> manual creation method :-)
>>>
>>>

>> Didn't on mine, I ran into the same problem - though it wasn't a show
>> stopper for me as I was trying to use my own repo - which also failed
>> using the docs... and nothing in the debug gave any clues or additional
>> information to the problem. Fortunately, I can read/write code, so I
>> fixed things myself.
>>
>
> Thanks for creating an PR.
>
Actually I noticed about 72 hours ago, and I'm still trying to fix
everything that was broken by the forced change... so there is no way
I'm going to be doing any PRs until that's all done... and 23rd Oct my
boss has me flying to SFO to discuss with the Eng & Ops team about
changing all my servers over from FreeBSD to Redhat - exactly what I
thought they would - been unable to update/patch any of my prod servers
against the Bash bug because the entire build system is broken because
of the 'End of life = This is the day its all going to break' issue...
so not really got any motivation to log any PRs now... or ever again.

Regards,

--
Michelle Sullivan
http://www.mhix.org/

[scratc...@att.net]

On Fri, 10 Oct 2014 13:49:54 -0500, you wrote:

>On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote:
>>
>> I had it as ${ABI} to begin with, but had no luck that way either
>> (see below). Then I changed it, unaware that that first 8 was
>> the version, or even that there are o/s version-dependent
>> versions of pkg.
>>
>Pkg itself is compiled, not interpreted like Yum which is Python, so it
>does matter.

> And you of course want to ensure you're installing packages
>built for FreeBSD 9 on your FreeBSD 9 server.

[sigh] Yes. I'm old enough that I'm always sleep-deprived, and
after 8-10 hours of concentrated work I'm so foggy that my brain
goes unserviceable.

>
>The next error you're seeing is this:
>
>> pkg: Error loading trusted certificates
>
>This is due to your missing certificates in /usr/share/keys/pkg which
>are required due to your repository having:
>
> signature_type: "fingerprints",
> fingerprints: "/usr/share/keys/pkg",
>
>You could remove those lines to work around that, but you are lowering
>the security of your system as you cannot verify the integrity of your
>packages anymore. The fix is to populate your /usr/share/keys/pkg. I do
>not know why it did not come populated after your upgrade, but that's a
>discussion for another day. Let's get your keys:
>
># mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
># fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
>"https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605&view=co"
># chown root:wheel
>/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
># chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301

Thank you. Those seem to fill in the gap. It's a pity that the
installer for pkg didn't do that part of the job.

[Daniel Austin via freebsd-ports]

Hi,

On 11/10/2014 14:34, Michelle Sullivan wrote:

> scratc...@att.net wrote:
>>> You are missing this:
>>> https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>>>
>>> freebsd-update can provide it.
>>>
>>

>> Thank you for the pointer.
>>
>> What puzzles me is why the problem wasn't fixed for o/s versions
>> prior to 10.0 since it was being made mandatory for those
>> versions. That doesn't seem like good practice.
>>
> We have a winner! <3\

I've upgraded countless machines from 9.x to 10.x using freebsd-update
and have never come across this issue. (have done a few 8.x to 10.x via
9.x and been fine too - but not many of these)

What upgrade path did you use, what version did you come from, and what
version did you go to?


Thanks,

Daniel.

[Michelle Sullivan]

Daniel Austin via freebsd-ports wrote:
> Hi,
>
> On 11/10/2014 14:34, Michelle Sullivan wrote:
>> scratc...@att.net wrote:
>>>> You are missing this:
>>>> https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>>>>
>>>> freebsd-update can provide it.
>>>>
>>>
>>> Thank you for the pointer.
>>>
>>> What puzzles me is why the problem wasn't fixed for o/s versions
>>> prior to 10.0 since it was being made mandatory for those
>>> versions. That doesn't seem like good practice.
>>>
>> We have a winner! <3\
>
> I've upgraded countless machines from 9.x to 10.x using freebsd-update
> and have never come across this issue. (have done a few 8.x to 10.x
> via 9.x and been fine too - but not many of these)
>
> What upgrade path did you use, what version did you come from, and
> what version did you go to?

Not talking about changing versions - talking about machines that are
forced to use pkg that are not 10.x and the freebsd-update tool was used
to patch the box at the same major version.

Michelle

--
Michelle Sullivan
http://www.mhix.org/