Are signatures of system images verified?
Yuri
yuri at rawbw.com
Wed Jun 29 21:21:08 UTC 2016
Both system installer and poudriere jails take images from
http://ftp.freebsd.org/pub/FreeBSD/releases/
But I can't see that there is a signature anywhere there that is
verified during the download.
For example, pkg(8) uses the key fingerprint
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify
downloads. This is the only file under /usr/share/keys/
Does this mean that system images aren't verified and MITM is possible,
or I am missing something?
Yuri
More information about the freebsd-pkgbase
mailing list