Are signatures of system images verified?
Both system installer and poudriere jails take images from http://ftp.freebsd.org/pub/FreeBSD/releases/ But I can't see that there is a signature anywhere there that is verified during the download. For example, pkg(8) uses the key fingerprint /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads. This is the only file under /usr/share/keys/ Does this mean that system images aren't verified and MITM is possible, or I am missing something? Yuri ___ freebsd-pkgbase@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 02:21:00PM -0700, Yuri wrote: > Both system installer and poudriere jails take images from > http://ftp.freebsd.org/pub/FreeBSD/releases/ > > But I can't see that there is a signature anywhere there that is verified > during the download. > > For example, pkg(8) uses the key fingerprint > /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads. > This is the only file under /usr/share/keys/ > > > Does this mean that system images aren't verified and MITM is possible, or I > am missing something? > This is different than pkgbase, the base.txz and kernel.txz, etc., are not what would have been installed with pkg(8). When pkgbase is ready, yes, they will be signed. The MANIFEST for the base.txz is checked by bootonly.iso when installing (it has a local version of the file), so the security model here is: - bootonly.iso is downloaded, checksums compared to the PGP-signed email and the image is "good"; - bsdinstall(8) fetches the remote files, and compares their hashes against a known-good MANIFEST (it is part of its filesystem, /usr/freebsd-dist/). But you raise a good point, poudriere does not have a good way to validate the base.txz unless it also unpacks bootonly.iso (or any of the installer media) and compares the checksums. Glen signature.asc Description: PGP signature
Re: Are signatures of system images verified?
On 06/29/2016 14:32, Glen Barber wrote: But you raise a good point, poudriere does not have a good way to validate the base.txz unless it also unpacks bootonly.iso (or any of the installer media) and compares the checksums. The possible solution is that poudriere should supply a public key as a part of the package, and all binaries that it downloads are also signed with the corresponding private key. Yuri ___ freebsd-pkgbase@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 02:46:26PM -0700, Yuri wrote:
> On 06/29/2016 14:32, Glen Barber wrote:
> >But you raise a good point, poudriere does not have a good way to
> >validate the base.txz unless it also unpacks bootonly.iso (or any of the
> >installer media) and compares the checksums.
>
>
> The possible solution is that poudriere should supply a public key as a part
> of the package, and all binaries that it downloads are also signed with the
> corresponding private key.
>
If I understand what you mean correctly, that would imply poudriere is
responsible for the contents of base.txz, which it is not. I think the
better solution (if I understood correctly) is RE needs to PGP-sign the
releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
it in the announcement email for the release, as well as on the website.
Please correct me if I did misunderstand.
This way, poudriere could verify the hash of the file against what it
has downloaded, in addition to verifying the PGP fingerprint.
Glen
signature.asc
Description: PGP signature
Re: Are signatures of system images verified?
On 06/29/2016 14:59, Glen Barber wrote:
If I understand what you mean correctly, that would imply poudriere is
responsible for the contents of base.txz, which it is not. I think the
better solution (if I understood correctly) is RE needs to PGP-sign the
releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
it in the announcement email for the release, as well as on the website.
Please correct me if I did misunderstand.
This way, poudriere could verify the hash of the file against what it
has downloaded, in addition to verifying the PGP fingerprint.
Yes, only MANIFEST should be signed, I made a mistake suggesting that
all binaries should be signed.
I don't quite understand the connection between the poudriere run and
the announcement email. Could you please elaborate on this? Just
downloading something from the website isn't secure either.
Thank you,
Yuri
___
freebsd-pkgbase@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase
To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> On 06/29/2016 14:59, Glen Barber wrote:
> >If I understand what you mean correctly, that would imply poudriere is
> >responsible for the contents of base.txz, which it is not. I think the
> >better solution (if I understood correctly) is RE needs to PGP-sign the
> >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >it in the announcement email for the release, as well as on the website.
> >
> >Please correct me if I did misunderstand.
> >
> >This way, poudriere could verify the hash of the file against what it
> >has downloaded, in addition to verifying the PGP fingerprint.
>
>
> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
> binaries should be signed.
>
Ok, got it.
> I don't quite understand the connection between the poudriere run and the
> announcement email. Could you please elaborate on this? Just downloading
> something from the website isn't secure either.
>
The only correlation there is a link to a web page containing PGP-signed
checksum files (for the ISOs).
This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is
poudriere could fetch the base.txz file, fetch the signed checksum (of
the MANIFEST), and compare it against something like this:
https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc
Hopefully that makes it a bit more clear on what I meant.
Glen
signature.asc
Description: PGP signature
Re: Are signatures of system images verified?
On 6/29/2016 4:03 PM, Glen Barber wrote:
> On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
>> On 06/29/2016 14:59, Glen Barber wrote:
>>> If I understand what you mean correctly, that would imply poudriere is
>>> responsible for the contents of base.txz, which it is not. I think the
>>> better solution (if I understood correctly) is RE needs to PGP-sign the
>>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
>>> it in the announcement email for the release, as well as on the website.
>>>
>>> Please correct me if I did misunderstand.
>>>
>>> This way, poudriere could verify the hash of the file against what it
>>> has downloaded, in addition to verifying the PGP fingerprint.
>>
FYI since Poudriere 3.1.11, it has compared the checksums in the
MANIFEST against the downloaded packages. It also now uses
https://download.freebsd.org by default. It requires
security/ca_root_nss. I thought I had forced that dependency but it was
missing. It is added now.
Around that time (January 2016), Colin Percival has been maintaining a
copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
installed with Poudriere and used during jail -c after fetching if
available, so that relying on https isn't required. These were missing
for ports-mgmt/poudriere-devel until just now. I've moved them to
misc/freebsd-release-manifests and made both ports depend on it.
>>
>> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
>> binaries should be signed.
>>
>
> Ok, got it.
>
>> I don't quite understand the connection between the poudriere run and the
>> announcement email. Could you please elaborate on this? Just downloading
>> something from the website isn't secure either.
>>
>
> The only correlation there is a link to a web page containing PGP-signed
> checksum files (for the ISOs).
>
> This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is
> poudriere could fetch the base.txz file, fetch the signed checksum (of
> the MANIFEST), and compare it against something like this:
>
> https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc
>
> Hopefully that makes it a bit more clear on what I meant.
>
> Glen
>
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote:
> On 6/29/2016 4:03 PM, Glen Barber wrote:
> > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> >> On 06/29/2016 14:59, Glen Barber wrote:
> >>> If I understand what you mean correctly, that would imply poudriere is
> >>> responsible for the contents of base.txz, which it is not. I think the
> >>> better solution (if I understood correctly) is RE needs to PGP-sign the
> >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >>> it in the announcement email for the release, as well as on the website.
> >>>
> >>> Please correct me if I did misunderstand.
> >>>
> >>> This way, poudriere could verify the hash of the file against what it
> >>> has downloaded, in addition to verifying the PGP fingerprint.
> >>
>
> FYI since Poudriere 3.1.11, it has compared the checksums in the
> MANIFEST against the downloaded packages. It also now uses
> https://download.freebsd.org by default. It requires
> security/ca_root_nss. I thought I had forced that dependency but it was
> missing. It is added now.
>
Ah, great, thank you. To those interested, the MANIFEST files included
were obtained in a secure manner, i.e., bootonly.iso was downloaded and
extracted after the checksum was compared to the PGP-signed email.
> Around that time (January 2016), Colin Percival has been maintaining a
> copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
> installed with Poudriere and used during jail -c after fetching if
> available, so that relying on https isn't required. These were missing
> for ports-mgmt/poudriere-devel until just now. I've moved them to
> misc/freebsd-release-manifests and made both ports depend on it.
>
I completely forgot about this. Thank you.
Glen
signature.asc
Description: PGP signature
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 11:46:45PM +, Glen Barber wrote:
> On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote:
> > On 6/29/2016 4:03 PM, Glen Barber wrote:
> > > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> > >> On 06/29/2016 14:59, Glen Barber wrote:
> > >>> If I understand what you mean correctly, that would imply poudriere is
> > >>> responsible for the contents of base.txz, which it is not. I think the
> > >>> better solution (if I understood correctly) is RE needs to PGP-sign the
> > >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> > >>> it in the announcement email for the release, as well as on the website.
> > >>>
> > >>> Please correct me if I did misunderstand.
> > >>>
> > >>> This way, poudriere could verify the hash of the file against what it
> > >>> has downloaded, in addition to verifying the PGP fingerprint.
> > >>
> >
> > FYI since Poudriere 3.1.11, it has compared the checksums in the
> > MANIFEST against the downloaded packages. It also now uses
> > https://download.freebsd.org by default. It requires
> > security/ca_root_nss. I thought I had forced that dependency but it was
> > missing. It is added now.
> >
>
> Ah, great, thank you. To those interested, the MANIFEST files included
> were obtained in a secure manner, i.e., bootonly.iso was downloaded and
> extracted after the checksum was compared to the PGP-signed email.
>
Uhm, to lessen confusion, this last sentence...
> > Around that time (January 2016), Colin Percival has been maintaining a
> > copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
> > installed with Poudriere and used during jail -c after fetching if
> > available, so that relying on https isn't required. These were missing
> > for ports-mgmt/poudriere-devel until just now. I've moved them to
> > misc/freebsd-release-manifests and made both ports depend on it.
> >
>
> I completely forgot about this. Thank you.
>
... should have been here. :(
Glen
signature.asc
Description: PGP signature
Re: Are signatures of system images verified?
On 06/29/16 16:38, Bryan Drewery wrote: > Around that time (January 2016), Colin Percival has been maintaining a > copy of the MANIFESTS in ports-mgmt/poudriere as well. For the record, I obtained these files by downloading the release ISOs, verifying their hashes against the signed release announcements, and then extracting the MANIFEST files from the ISOs, and I intend to do this for future releases as well. I think the consensus was that this was a better option than adding "commit MANIFEST files to the ports tree" to the already very lengthy release engineering checklist, but of course I'd have no objection to handing over this task if re@ wanted it for some reason. :-) > Those get > installed with Poudriere and used during jail -c after fetching if > available, so that relying on https isn't required. These were missing > for ports-mgmt/poudriere-devel until just now. I've moved them to > misc/freebsd-release-manifests and made both ports depend on it. Sounds good. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid ___ freebsd-pkgbase@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"
Re: Are signatures of system images verified?
On Wed, Jun 29, 2016 at 04:50:55PM -0700, Colin Percival wrote: > On 06/29/16 16:38, Bryan Drewery wrote: > > Around that time (January 2016), Colin Percival has been maintaining a > > copy of the MANIFESTS in ports-mgmt/poudriere as well. > > For the record, I obtained these files by downloading the release ISOs, > verifying their hashes against the signed release announcements, and > then extracting the MANIFEST files from the ISOs, and I intend to do > this for future releases as well. I think the consensus was that this > was a better option than adding "commit MANIFEST files to the ports > tree" to the already very lengthy release engineering checklist, but > of course I'd have no objection to handing over this task if re@ wanted > it for some reason. :-) > There are other (valid) reasons for having these signed "somewhere". I'm sure there are more use cases than bootonly.iso and poudriere that use these files. So, it's on my list, but since we have the MANIFESTs you already gathered, no immediate plan to make this retroactive. Glen signature.asc Description: PGP signature
