From 98c4ca5e08e4e3f1fb9c021d4e82f3f2106f0d52 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Fri, 30 Sep 2011 12:46:10 +0400 Subject: [PATCH] SKS: upgrade to 1.1.2 Changelog for 1.1.2: - HTML generated by SKS has been cleaned up to pass XHTML 1.0 Strict without error or warnings - Added HTTP/1.0 after POST, '-' added to safe characters for webserver, Add '.html' (text/html) to list of supported file extensions for web server - Johan van Selst's patch implementing Phil Pennock's suggestion of an X-HKP-Results-Count: header to returned web server queries - Johan van Selst's patch to add Content-length header to web results - DB Statistics are kept for 30 days insstead of 7 - SIGUSR2 now triggers on-demand statistics - sks dump should ignore -USR1 and -USR2 - Remove XA support which Oracle dropped in DB 4.8 (& restored in DB 5.2) - Work-around in bdb_stubs.c for DB_XA_CREATE dropped after DB 4.7 - always display number of hashes received for better statistics in recon.log - Fix 'sks dump' usage: help message syntax - Fix documentation to explicit that hkp_address and recon_address can contain both IP addresses and domain names. - Fix documentation with ambiguity of -n when used with build and fastbuild - Spelling corrections - BUGFIX: do not leak the joined cursor in Keydb.get_by_words. Items added to the port: - explanations on how to create main page for the Web server and an example of that page; - rc.d scripts. Signed-off-by: Eygene Ryabinkin --- security/sks/Makefile | 22 ++- security/sks/distinfo | 4 +- security/sks/files/index.html | 47 +++++ security/sks/files/pkg-message.in | 28 +++ security/sks/files/sks-db.in | 43 +++++ security/sks/files/sks-recon.in | 43 +++++ security/sks/files/sks.pod | 354 +++++++++++++++++++++++++++++++++++++ security/sks/files/sks_build.sh | 48 +++++ security/sks/pkg-message | 8 - 9 files changed, 584 insertions(+), 13 deletions(-) create mode 100644 security/sks/files/index.html create mode 100644 security/sks/files/pkg-message.in create mode 100755 security/sks/files/sks-db.in create mode 100755 security/sks/files/sks-recon.in create mode 100644 security/sks/files/sks.pod create mode 100644 security/sks/files/sks_build.sh delete mode 100644 security/sks/pkg-message diff --git a/security/sks/Makefile b/security/sks/Makefile index 632a8c4..963e472 100644 --- a/security/sks/Makefile +++ b/security/sks/Makefile @@ -6,7 +6,7 @@ # PORTNAME= sks -PORTVERSION= 1.1.1 +PORTVERSION= 1.1.2 CATEGORIES= security MASTER_SITES= GOOGLE_CODE EXTRACT_SUFX= .tgz @@ -19,6 +19,7 @@ PROJECTHOST= sks-keyserver USE_OCAML= yes USE_BDB= 46+ USE_PERL5_BUILD=yes +USE_RC_SUBR= sks-db sks-recon USE_GMAKE= yes MAKE_ENV= BDBINCLUDE="-I${BDB_INCLUDE_DIR}" \ @@ -26,19 +27,34 @@ MAKE_ENV= BDBINCLUDE="-I${BDB_INCLUDE_DIR}" \ LIBDB="-l${BDB_LIB_NAME}" \ MANDIR="${MANPREFIX}/man" +WRKSRC= ${WRKDIR}/sks +ALL_TARGET= dep all + PLIST_FILES= bin/sks bin/sks_add_mail bin/sks_build.sh +SUB_FILES+= pkg-message MAN8= sks.8 MANCOMPRESSED= yes -PORTDOCS= BUGS README TODO +PORTDOCS= README +PORTEXAMPLES= index.html +# XXX: should reappear on next release, because +# XXX: tarball for 1.1.2 was really screwed up. +#PORTDOCS= README TODO BUGS post-extract: @: > ${WRKSRC}/Makefile.local +.for f in sks.pod sks_build.sh + @${CP} ${FILESDIR}/${f} ${WRKSRC} +.endfor post-install: .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR} .endif - @${CAT} ${PKGMESSAGE} +.if !defined(NOPORTEXAMPLES) + @${MKDIR} ${EXAMPLESDIR} + cd ${FILESDIR} && ${INSTALL_DATA} ${PORTEXAMPLES} ${EXAMPLESDIR} +.endif + @${CAT} ${WRKDIR}/pkg-message .include diff --git a/security/sks/distinfo b/security/sks/distinfo index 4b70aa2..a84d996 100644 --- a/security/sks/distinfo +++ b/security/sks/distinfo @@ -1,2 +1,2 @@ -SHA256 (sks-1.1.1.tgz) = 3cad29126e2d0cd904e9c92b0393ee4756f40916af33346bc5075b836fea8362 -SIZE (sks-1.1.1.tgz) = 273833 +SHA256 (sks-1.1.2.tgz) = 5226407c12440e1e08217730778abc626c50392ff01b7e1afdd13967b7c1ec71 +SIZE (sks-1.1.2.tgz) = 269551 diff --git a/security/sks/files/index.html b/security/sks/files/index.html new file mode 100644 index 0000000..77a0174 --- /dev/null +++ b/security/sks/files/index.html @@ -0,0 +1,47 @@ + + + + PGP Keyserver Search Page + + +

PGP Keyserver is ready

+ + +

Extract a key

+ +

+ You can extract a key by typing in some words that appear in the userid + of the key you're looking for, or by typing in the keyid in hex + format («0xdeadbabe»). +

+ +
+
+ +
Output type: +  regular, +  verbose, +  ascii-armored keys +
+
Output options: +  show PGP fingerprints, +  show full-key hashes
+
+
+ + +

Submit a key

+ +

+ Paste ASCII-armored version of your key («gpg --import -a KEYID» will work + for GnuPG) here and press the button. +

+
+
+
+
+
+
+ + + diff --git a/security/sks/files/pkg-message.in b/security/sks/files/pkg-message.in new file mode 100644 index 0000000..664abe8 --- /dev/null +++ b/security/sks/files/pkg-message.in @@ -0,0 +1,28 @@ +Fresh install +============= + +When installing for the first time, you will need to obtain a pgp +key database dump from somewhere and build database files from this. +http://www.keysigning.org/sks/ may help you getting started. + + +Upgrades +======== + +=> When updating from an sks version < 1.1 be aware that the pgp key +=> database files are not compatible: make a full dump of your data +=> before updating and rebuild the database files afterwards. + + +Web interface +============= + +If you want to host a Web interface with the starting page that allows +users to search and submit PGP keys, you should do the following: + + a. create the 'web' directory under your SKS home directory; + b. copy %%EXAMPLESDIR%%/index.html to that directory + (you should have port examples to be installed); + c. if you want to serve users at the usual HTTP port, you should + redirect or proxy the real built-in HTTP server for SKS that + is listening port 11371 in the default configuration. diff --git a/security/sks/files/sks-db.in b/security/sks/files/sks-db.in new file mode 100755 index 0000000..89ef36f --- /dev/null +++ b/security/sks/files/sks-db.in @@ -0,0 +1,43 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# PROVIDE: sks-db +# REQUIRE: DAEMON +# KEYWORD: shutdown +# +# Add the following to /etc/rc.conf[.local] to enable this service +# +# sks_db_enable="YES" +# + +. /etc/rc.subr + +name=sks_db +rcvar=`set_rcvar` +start_cmd="sks_db_start_cmd" + +load_rc_config ${name} + +: ${sks_db_enable=NO} +: ${sks_db_user=sks} +: ${sks_db_chdir=/home/sks} +: ${sks_db_flags=} + +command=%%PREFIX%%/bin/sks +pidfile="${sks_db_chdir}"/"$name".pid + +sks_db_start_cmd () +{ + check_startmsgs && echo "Starting ${name}." + + if ! cd "$sks_db_chdir"; then + echo "Failed to change directory to '$sks_db_chdir'." >&2 + return 1 + fi + /usr/sbin/daemon -f -p "${pidfile}" -u "${sks_db_user}" \ + $command $sks_db_flags db + return $? +} + +run_rc_command "$1" diff --git a/security/sks/files/sks-recon.in b/security/sks/files/sks-recon.in new file mode 100755 index 0000000..dca1d7e --- /dev/null +++ b/security/sks/files/sks-recon.in @@ -0,0 +1,43 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# PROVIDE: sks-recon +# REQUIRE: DAEMON sks-db +# KEYWORD: shutdown +# +# Add the following to /etc/rc.conf[.local] to enable this service +# +# sks_recon_enable="YES" +# + +. /etc/rc.subr + +name=sks_recon +rcvar=`set_rcvar` +start_cmd="sks_recon_start_cmd" + +load_rc_config ${name} + +: ${sks_recon_enable=NO} +: ${sks_recon_user=sks} +: ${sks_recon_chdir=/home/sks} +: ${sks_recon_flags=} + +command=%%PREFIX%%/bin/sks +pidfile="${sks_recon_chdir}"/"$name".pid + +sks_recon_start_cmd () +{ + check_startmsgs && echo "Starting ${name}." + + if ! cd "$sks_recon_chdir"; then + echo "Failed to change directory to '$sks_recon_chdir'." >&2 + return 1 + fi + /usr/sbin/daemon -f -p "${pidfile}" -u "${sks_recon_user}" \ + $command $sks_recon_flags recon + return $? +} + +run_rc_command "$1" diff --git a/security/sks/files/sks.pod b/security/sks/files/sks.pod new file mode 100644 index 0000000..ae19894 --- /dev/null +++ b/security/sks/files/sks.pod @@ -0,0 +1,354 @@ +=head1 NAME + +SKS - Synchronizing Key Server + +=head1 SYNOPSIS + +sks [options] -debug + +=head1 DESCRIPTION + +SKS is a OpenPGP keyserver whose goal is to provide easy to deploy, decentralized, and highly reliable synchronization. That means that a key submitted to one SKS server will quickly be distributed to all key servers, and even wildly out-of-date servers, or servers that experience spotty connectivity, can fully synchronize with rest of the system. + +The design of SKS is deliberately simple. The server consists of two single-threaded processes. The first, "sks db", fulfills the normal jobs associated with a public key server, such as answering web requests. The only special functionality of "sks db" is that it keeps a log summarizing the changes to the key database. "sks recon" does all the work with respect to reconciling hosts databases. "sks recon" keeps track of specialized summary information about the database, and can use that information to efficiently determine the differences between its database and that of another host. + +=head1 FEATURES + +Highly efficient and reliable reconciliation algorithm + +Follows RFC2440 and RFC2440bis carefully - unlike PKS, SKS supports new and old style packets, photoID packets, multiple subkeys, and pretty much everything allowed by the RFCs. + +Fully compatible with PKS system - can both send and receive syncs from PKS servers, ensuring seamless connectivity. + +Simple configuration: each host just needs a (partial) list of the other participating key servers. Gossip is used to distribute information without putting a heavy load an any one host. + +Supports HKP/web-based querying, and soon-to-be-standard machine readable indices + +=head1 OPTIONS + +SKS binary command options are as follows: + +=over + +=item db + + Initiates database server. + +=item recon + +Initiates reconciliation server. + +=item cleandb + +Apply filters to all keys in database, fixing some common problems. + +=item build + +Build key database, including body of keys directly in database. + +=item fastbuild -n [size] -cache [mbytes] + +Build key database, doesn't include keys directly in database, faster than build. -n specifies the number of keydump files to read per pass when used with build and the multiple of 15,000 keys to be read per pass when used with fastbuild. -cache specifies the database cache to use in megabytes. + +=item pbuild -cache [mbytes] -ptree_cache [mbytes] + +Build prefix-tree database, used by reconciliation server, from key database. Allows for specification of cache for key database and for ptree database. + +=item dump #keys dumpdir + +Create a raw dump of the keys in the database. + +=item merge + +Adds key from key files to existing database. + +=item drop + +Drops key from database. + +=item update_subkeys [-n # of updates / 1000] + +Updates subkey keyid index to include all current keys. Only useful when upgrading versions 1.0.4 or before of SKS. + +=item help + +Prints the help message. + +=back + +=head1 ADDITIONAL OPTIONS + +You won't need most of the options below for normal operation. These options can be given in basedir/sksconf or as command line option for the sks binary. + +=over + +=item -debug + +Debugging mode. + +=item -debuglevel + +Debugging level -- sets verbosity of logging. + +=item -q + + Number of bits defining a bin. + +=item -mbar + +Number of errors that can be corrected in one shot. + +=item -seed + +Seed used by RNG. + +=item -hostname + +Current hostname. + +=item -d + + Number of keys to drop at random when synchronizing. + +=item -n + + Number of keydump files to load at once. + +=item -max_internal_matches + +Maximum number of matches for most specific word in a multi-word search. + +=item -max_matches + +Maximum number of matches that will be returned from a query. + +=item -max_uid_fetches + +Maximum number of uid fetches performed in a verbose index query. + +=item -pagesize + +Pagesize in bytes for key db. + +=item -cache + +Cache size in megs for key db. + +=item -ptree_pagesize + +Pagesize in bytes for prefix tree db. + +=item -ptree_cache + +Cache size in megs for prefix tree db. + +=item -baseport + +Set base port number. + +=item -recon_port + +Set recon port number. + +=item -recon_address + +Set recon binding addresses. Can be a list of whitespace separated IP addresses or domain names. + +=item -hkp_port + +Set hkp port number. + +=item -hkp_address + +Set hkp binding addresses. Can be a list of whitespace separated IP addresses or domain names. + +=item -use_port_80 + +Have the HKP interface listen on port 80, as well as the hkp_port. + +=item -basedir + +Set base directory. + +=item -stdoutlog + +Send log messages to stdout instead of log file. + +=item -diskptree + +Use a disk-based ptree implementation. Slower, but requires far less memory. + +=item -nodiskptree + +Use in-mem ptree. + +=item -max_ptree_nodes + +Maximum number of allowed ptree nodes. Only meaningful if -diskptree is set. + +=item -prob + +Set probability. Used for testing code only. + +=item -recon_sync_interval + +Set sync interval for reconserver. + +=item -gossip_interval + +Set time between gossips in minutes. + +=item -dontgossip + +Don't gossip automatically. Host will still respond to requests from other hosts. + +=item -db_sync_interval + +Set sync interval for dbserver. + +=item -checkpoint_interval + +Time period between checkpoints. + +=item -recon_checkpoint_interval + +Time period between checkpoints for reconserver. + +=item -ptree_thresh_mult + +Multiple of thresh which specifies minimum node size in prefix tree. + +=item -recon_thresh_mult + +Multiple of thresh which specifies minimum node size that is included in reconciliation. + +=item -max_recover + +Maximum number of differences to recover in one round. + +=item -http_fetch_size + +Number of keys for reconserver to fetch from dbserver in one go. + +=item -wserver_timeout + +Timeout in seconds for webserver requests. + +=item -reconciliation_timeout + +Timeout for reconciliation runs in minutes. + +=item -stat_hour + +Hour at which to run database statistics. + +=item -initial_stat + +Runs database statistics calculation on boot. + +=item -reconciliation_config_timeout + +Set timeout in seconds for initial exchange of config info in reconciliation. + +=item -missing_keys_timeout + +Timeout in seconds for get_missing_keys. + +=item -command_timeout + +Timeout in seconds for commands set over command socket. + +=item -sendmail_cmd + +Command used for sending mail. + +=item -from_addr + +From address used in synchronization emails used to communicate with PKS. + +=item -dump_new_only + +When doing a database dump, only dump new keys, not keys already contained in a keydump file. + +=item -max_outstanding_recon_requests + +Maximum number of outstanding requests in reconciliation. + +=item -membership_reload_interval + +Maximum interval (in hours) at which membership file is reloaded. + +=item --help, -help + +Displays list of options. + +=back + +=head1 FILES + +Information about important files located in your SKS basedir. + +=over + +=item bin/sks + +The main SKS executable. + +=item bin/sks_add_mail + +The executable responsible for parsing incoming mails from PKS key servers. + +=item bin/sks_build.sh + +Script to generate an initial database. + +=item mailsync + +The mailsync should contains a list of email addresses of PKS keyservers. This file is important, because it ensures that keys submitted directly to an SKS keyserver are also forwarded to PKS keyservers. IMPORTANT : don't add someone to your mailsync file without getting their permission first! + +=item membership + +With SKS, two hosts can efficiently compare their databases then repair whatever differences are found. In order to set up reconciliation, you first need to find other SKS servers that will agree to gossip with you. The hostname and port of the server that has agreed to do so should be added to this file. + +=item sksconf + +The configuration file for your SKS server. + +=back + +=head1 EXAMPLES + +=over + +=item membership + + keyserver.ahost.org 11370 # Comments are allowed + keyserver.foo.org 11370 # Another host with default ports + +=item sksconf + + membership_reload_interval: 1 + initial_stat: + hostname: keyserver.example.com + from_addr: pgp-public-keys@keyserver.example.com + +=item Procmail + + PATH=/path/of/sks/exectuables + :0 + * ^Subject: incremental + | /path/of/sks_add_mail /path/to/sks/directory + +=item /etc/aliases + + pgp-public-keys: "|/path/of/sks_add_mail /path/to/sks/directory" + +=back + +=head1 SEE ALSO + + The SKS website is located at http://minskyprimus.net/sks/. + +=head1 AUTHOR + +The first draft was written by Thomas Sjogren . diff --git a/security/sks/files/sks_build.sh b/security/sks/files/sks_build.sh new file mode 100644 index 0000000..c0e3d41 --- /dev/null +++ b/security/sks/files/sks_build.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# SKS build script. +# cd to directory with "dump" subdirectory, and run +# You might want to edit this file to reduce or increase memory usage +# depending on your system + +ask_mode() { + echo "Please select the mode in which you want to import the keydump:" + echo "" + echo "1 - fastbuild" + echo " only an index of the keydump is created and the keydump cannot be" + echo " removed." + echo "" + echo "2 - normalbuild" + echo "" + echo " all the keydump will be imported in a new database. It takes longer" + echo " time and more disk space, but the server will run faster (depending" + echo " from the source/age of the keydump)." + echo " The keydump can be removed after the import." + echo "" + echo -n "Enter enter the mode (1/2): " + read + case "$REPLY" in + 1) + mode="fastbuild" + ;; + 2) + mode="build /var/lib/sks/dump/*.pgp" + ;; + *) + echo "Option unknown. bye!" + exit 1 + ;; + esac +} + +fail() { echo Command failed unexpectedly. Bailing out; exit -1; } + +ask_mode + +echo "=== Running (fast)build... ===" +if ! /usr/sbin/sks $mode -n 10 -cache 100; then fail; fi +echo === Cleaning key database... === +if ! /usr/sbin/sks cleandb; then fail; fi +echo === Building ptree database... === +if ! /usr/sbin/sks pbuild -cache 20 -ptree_cache 70; then fail; fi +echo === Done! === diff --git a/security/sks/pkg-message b/security/sks/pkg-message deleted file mode 100644 index b23e23c..0000000 --- a/security/sks/pkg-message +++ /dev/null @@ -1,8 +0,0 @@ - -=> When updating from an sks version < 1.1 be aware that the pgp key -=> database files are not compatible: make a full dump of your data -=> before updating and rebuild the database files afterwards. - -When installing for the first time, you will need to obtain a pgp -key database dump from somewhere and build database files from this. -http://www.keysigning.org/sks/ may help you getting started. -- 1.7.3.4