Are signatures of system images verified?
Glen Barber
gjb at FreeBSD.org
Wed Jun 29 21:32:53 UTC 2016
On Wed, Jun 29, 2016 at 02:21:00PM -0700, Yuri wrote:
> Both system installer and poudriere jails take images from
> http://ftp.freebsd.org/pub/FreeBSD/releases/
>
> But I can't see that there is a signature anywhere there that is verified
> during the download.
>
> For example, pkg(8) uses the key fingerprint
> /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads.
> This is the only file under /usr/share/keys/
>
>
> Does this mean that system images aren't verified and MITM is possible, or I
> am missing something?
>
This is different than pkgbase, the base.txz and kernel.txz, etc., are
not what would have been installed with pkg(8).
When pkgbase is ready, yes, they will be signed. The MANIFEST for the
base.txz is checked by bootonly.iso when installing (it has a local
version of the file), so the security model here is:
- bootonly.iso is downloaded, checksums compared to the PGP-signed email
and the image is "good";
- bsdinstall(8) fetches the remote files, and compares their hashes
against a known-good MANIFEST (it is part of its filesystem,
/usr/freebsd-dist/).
But you raise a good point, poudriere does not have a good way to
validate the base.txz unless it also unpacks bootonly.iso (or any of the
installer media) and compares the checksums.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkgbase/attachments/20160629/c534137c/attachment.sig>
More information about the freebsd-pkgbase
mailing list