Notes on Ports

[Ref: Porter's Handbook | mk.conf(5) | | ports(7) ]

Table of Contents
  1. Cache
  2. Signatures
  3. mystuff
  4. dpb - Distributed Ports Builder

OpenBSD has a wonderful Ports Collection with a set of applications pre-compiled for the $architectures supported by the OS. The standard recommendation is to use the binary packages, generated from the ports collection, to minimise the damage our ignorance will force onto your system.

We are free to compile, and install the programs directly from source.

I like to cause more damage, presumably with good intentions. I like the ports collection, and some of the 'custom' compilations I want are minor tweaks on the existing port, and I really want to keep the other advantages from ports (such as binary packages that I can install on other machines, or the appropriate configuration so I can readily compile on another architecture.)

These notes are to remind me of some of the things I always forget when updating ports, even when they are well documented in the above project documentation links.


[Ref: pkg_add(1) ]

One dilemma with our ports collection, are multiple system installs at remote locations over a slow/small pipe. If we knew what we were doing, we'd ship the packages across the link as a batch, but often enough we get called to install systems at short notice.

To help with building multiple systems, we use pkg_add(1)'s ability to cache/keep a local copy of the package.

mkdir -p /var/pkg/cache
export PKG_CACHE=/var/pkg/cache
export PKG_PATH=$PKG_CACHE/:non-local/package/repository/

package signatures

[Ref: FAQ15]

Our production environment requires verifiable sources for all installation binaries (which in this case includes software packages additional to the operating system) With OpenBSD release 5.5, the project distributes signed packages, and by default the package installation process expects signed packages.

If we are required to have an additional level of checks, i.e. we have to build and sign our own software packages, due to some compliance requirement, then the updated FAQ provides all the details for setting up your own/internal signing/validation infrastructure.

signatures in 5.4 and earlier

For those on versions prior to 5.5, the old process was something like the below:

Create the appropriate SSL certification authority "myorgpkgca.pem", certificates "myorgpkg.crt" and signing key "myorgpkg.key" and direct the pkg_create process to use the above specified keys to sign the packages.

File extract: /etc/mk.conf (OpenBSD 5.4 and earlier)

PKG_CREATE=/usr/sbin/pkg_create -s x509 -s /etc/ssl/myorgpkg.crt -s /etc/ssl/private/myorgpkg.key

Make sure you have the Certificate Authority and public certificate available on the destination host when installing packages. Ensure you have the following files on the new host.

  • /etc/ssl/myorgpkgca.pem
  • /etc/ssl/myorgpkg.crt

Signify 5.5

#&91;Ref: signify(1)]

OpenBSD 5.5 introduced signify(1) a new tool for now used for signify package binaries. The first advantage is that OpenBSD packages are now cryptographically signed by the people building releases.

Another advantage is the tool is relatively simple to use.

  • Create signatures
  • Use signify tool to sign new package builds.
  • Distribute your public key with the packages
# signify -G -n -s /etc/signify/myorg-pkg.sec -p /etc/signify/

File extract: /etc/mk.conf (OpenBSD 5.5 and later)

SIGNING_PARAMETERS=-s signify -s /etc/signify/myorg-pkg.sec

To use your signed packages, ensure the public signing key is on the new host (/etc/signify/


[Ref: ]

So, why do we put our 'customisations' in /usr/ports/mystuff ?

No one ever seems to explain why everyone is doing it? Two configurations that help explain 'mystuff' are PORTSDIR and PORTSDIR_PATH as described in the manpage.

manpage extract:

PORTSDIR Root of the ports tree (default: /usr/ports).

        Path used by dependencies and to look up
        package specifications. Defaults to
        Extra directory used to store local ports before committing
        them.  All depend targets will normally look there after the
        normal lookup fails.  See PORTSDIR_PATH.

Refer to for sample usage.

So, when you are in your custom port and you type in 'make package' the ${PORTSDIR_PATH} is traversed to solve dependencies of your package. Pathing is significant, so if you need 'mystuff' traversed first, then make sure you make the appropriate changes, such as the below:

File extract: /etc/mk.conf


dpb - Distributed Ports Build

[Ref: BSD Now Tutorial]

When you can dedicate a machine for building source, you can make global changes to assist in successful port builds.

System Resources

File extract: