Are signatures of system images verified?

2016-06-29 Thread Yuri 
Both system installer and poudriere jails take images from 
http://ftp.freebsd.org/pub/FreeBSD/releases/


But I can't see that there is a signature anywhere there that is 
verified during the download.


For example, pkg(8) uses the key fingerprint 
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify 
downloads. This is the only file under /usr/share/keys/



Does this mean that system images aren't verified and MITM is possible, 
or I am missing something?



Yuri

___
freebsd-pkgbase@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase
To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"

Re: Are signatures of system images verified?

2016-06-29 Thread Yuri 

On 06/29/2016 14:32, Glen Barber wrote:

But you raise a good point, poudriere does not have a good way to
validate the base.txz unless it also unpacks bootonly.iso (or any of the
installer media) and compares the checksums.



The possible solution is that poudriere should supply a public key as a 
part of the package, and all binaries that it downloads are also signed 
with the corresponding private key.



Yuri

___
freebsd-pkgbase@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase
To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"

Re: Are signatures of system images verified?

2016-06-29 Thread Yuri 

On 06/29/2016 14:59, Glen Barber wrote:

If I understand what you mean correctly, that would imply poudriere is
responsible for the contents of base.txz, which it is not.  I think the
better solution (if I understood correctly) is RE needs to PGP-sign the
releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
it in the announcement email for the release, as well as on the website.

Please correct me if I did misunderstand.

This way, poudriere could verify the hash of the file against what it
has downloaded, in addition to verifying the PGP fingerprint.



Yes, only MANIFEST should be signed, I made a mistake suggesting that 
all binaries should be signed.



I don't quite understand the connection between the poudriere run and 
the announcement email. Could you please elaborate on this? Just 
downloading something from the website isn't secure either.



Thank you,

Yuri

___
freebsd-pkgbase@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase
To unsubscribe, send any mail to "freebsd-pkgbase-unsubscr...@freebsd.org"