[Bug 221281] sysutils/ezjail should verify downloaded tarballs before use
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 7 20:16:08 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221281
--- Comment #2 from Rene Wagner <rw at nelianur.org> ---
Thanks for the quick reply! I'm glad to hear you're actively working on ezjail
again!
As for "bsdinstall jail", does it actually check any signatures?
If I read its source code correctly it appears that it first fetches the
MANIFEST file, then the base.txz listed therein as well as any additional
distribution files selected by the user, and finally computes the SHA256
checksums of the downloaded files which are then compared against the checksums
from the MANIFEST.
The MANIFEST file is not signed. Thus, this will only prevent accidental
corruption of files in transit. It doesn't provide any protection against
malicious tampering, does it?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list