Are signatures of system images verified?

Yuri yuri at rawbw.com
Wed Jun 29 21:21:08 UTC 2016


Both system installer and poudriere jails take images from 
http://ftp.freebsd.org/pub/FreeBSD/releases/

But I can't see that there is a signature anywhere there that is 
verified during the download.

For example, pkg(8) uses the key fingerprint 
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify 
downloads. This is the only file under /usr/share/keys/


Does this mean that system images aren't verified and MITM is possible, 
or I am missing something?


Yuri



More information about the freebsd-pkgbase mailing list