Fwd: Signatures
Felix Friedlander
felixphew0 at gmail.com
Fri Dec 30 06:56:22 UTC 2016
Re-including the list.
> Begin forwarded message:
>
> From: Felix Friedlander <felixphew0 at gmail.com>
> Subject: Re: Signatures
> Date: 30 December 2016 at 5:55:06 pm AEDT
> To: Specter <neurospecter at protonmail.ch>
>
>
>> On 30 Dec 2016, at 5:46 pm, Specter <neurospecter at protonmail.ch> wrote:
>>
>> Felix,
>>
>> Thank you for your response all though that comes as quite a surprise. I've had the impression that BSD is for the security conscious yet you do not sign your ISO's. I'm a Linux user at the moment and just about every Linux developer out there signs their ISO's. I just can't imagine that's the case.
>>
>> Are you absolutely sure? I have actually found that key before but as you said, that is not a signing key for the ISO's which is what I need. I refuse to use anything that has not been properly signed. I am very security conscious.
>>
>> Thanks,
>> Spectral
>>
>>
>>> -------- Original Message --------
>>> Subject: Re: Signatures
>>> Local Time: 29 December 2016 10:40 PM
>>> UTC Time: 30 December 2016 06:40
>>> From: felixphew0 at gmail.com
>>> To: Specter <neurospecter at protonmail.ch>
>>> freebsd-questions at freebsd.org <freebsd-questions at freebsd.org>
>>>
>>>> On 30 Dec 2016, at 5:27 pm, Specter via freebsd-questions <freebsd-questions at freebsd.org> wrote:
>>>>
>>>> Hello, I was wondering where you've posted your public signing keys? I have not been able to find them anywhere. And where can I find the signature files for your ISO's?
>>>>
>>>> Thanks,
>>>> Spectral
>>>
>>> To the best of my knowledge, FreeBSD ISO images are not signed. You can verify their integrity (to a degree) using the checksums (example: http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/11.0/CHECKSUM.SHA256-FreeBSD-11.0-RELEASE-amd64 ).
>>>
>>> The only “official” PGP key for the project (as far as I’m aware) belongs to the security officer, and is used for signing security advisories. You can find the key at https://www.freebsd.org/security/so_public_key.asc and the advisories at https://www.freebsd.org/security/advisories.html.
>>>
>>> Feel free to correct me, anyone, if this is out-of-date or incorrect.
>>>
>>> --
>>> Felix Friedlander <felixphew0 at gmail.com>
>>>
>>
>
> Hi,
>
> As I suspected my information was quite out-of-date.
>
> Signed checksums for each release can be found on the website, near the release announcements, notes, and errata. For example: https://www.freebsd.org/releases/11.0R/signatures.html contains all the relevant signatures for FreeBSD 11.0-RELEASE.
>
> I’m not entirely sure which key these are signed with, but it should be one of the keys found at https://www.freebsd.org/doc/en/articles/pgpkeys/ (downloadable as one file at https://www.freebsd.org/doc/pgpkeyring.txt if you need to automate this or something).
>
> --
> Felix Friedlander <felixphew0 at gmail.com>
>
--
Felix Friedlander <felixphew0 at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3441 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20161230/5caa136c/attachment.bin>
More information about the freebsd-questions
mailing list