Signed Checksums for release archives
Clint Armstrong
clint at clintarmstrong.net
Sun Jan 10 21:07:42 UTC 2016
My use case is for creating Jails. I'm trying to script downloading and
extracting an archive for a jail and would like to be able to verify the
download.
On Sun, Jan 10, 2016 at 3:01 PM James Keener <jim at jimkeener.com> wrote:
> That doesn't help if a mirror is compromised or control is lost. Those
> already downloaded installers can't update their mirror list.
>
> Jim
>
>
> On January 10, 2016 2:54:44 PM EST, Dmitry Morozovsky <marck at rinet.ru>
> wrote:
>>
>> On Sun, 10 Jan 2016, Clint Armstrong wrote:
>>
>> The signed checksums linked on that page only include checksums for the
>>> .img and .iso images. Not for the .txz archives.
>>>
>>
>> Ah I see. But nevertheless, these .txz's are almost always accessed from the
>> installer, which selects only approved mirror from well-defined list, and
>> connects to them over TLS...
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
More information about the freebsd-security
mailing list