Are signatures of system images verified?

Bryan Drewery bdrewery at FreeBSD.org
Wed Jun 29 23:38:11 UTC 2016 

On 6/29/2016 4:03 PM, Glen Barber wrote:
> On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
>> On 06/29/2016 14:59, Glen Barber wrote:
>>> If I understand what you mean correctly, that would imply poudriere is
>>> responsible for the contents of base.txz, which it is not.  I think the
>>> better solution (if I understood correctly) is RE needs to PGP-sign the
>>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
>>> it in the announcement email for the release, as well as on the website.
>>>
>>> Please correct me if I did misunderstand.
>>>
>>> This way, poudriere could verify the hash of the file against what it
>>> has downloaded, in addition to verifying the PGP fingerprint.
>>

FYI since Poudriere 3.1.11, it has compared the checksums in the
MANIFEST against the downloaded packages.  It also now uses
https://download.freebsd.org by default.  It requires
security/ca_root_nss.  I thought I had forced that dependency but it was
missing.  It is added now.

Around that time (January 2016), Colin Percival has been maintaining a
copy of the MANIFESTS in ports-mgmt/poudriere as well.  Those get
installed with Poudriere and used during jail -c after fetching if
available, so that relying on https isn't required.  These were missing
for ports-mgmt/poudriere-devel until just now.  I've moved them to
misc/freebsd-release-manifests and made both ports depend on it.

>>
>> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
>> binaries should be signed.
>>
> 
> Ok, got it.
> 
>> I don't quite understand the connection between the poudriere run and the
>> announcement email. Could you please elaborate on this? Just downloading
>> something from the website isn't secure either.
>>
> 
> The only correlation there is a link to a web page containing PGP-signed
> checksum files (for the ISOs).
> 
> This is "new" as of 10.2-RELEASE.  So, what I mean (or meant to say) is
> poudriere could fetch the base.txz file, fetch the signed checksum (of
> the MANIFEST), and compare it against something like this:
> 
> https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc
> 
> Hopefully that makes it a bit more clear on what I meant.
> 
> Glen
> 


-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pkgbase/attachments/20160629/8aea2658/attachment.sig>

More information about the freebsd-pkgbase mailing list