Are signatures of system images verified?
Glen Barber
gjb at FreeBSD.org
Wed Jun 29 23:03:28 UTC 2016
On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> On 06/29/2016 14:59, Glen Barber wrote:
> >If I understand what you mean correctly, that would imply poudriere is
> >responsible for the contents of base.txz, which it is not. I think the
> >better solution (if I understood correctly) is RE needs to PGP-sign the
> >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >it in the announcement email for the release, as well as on the website.
> >
> >Please correct me if I did misunderstand.
> >
> >This way, poudriere could verify the hash of the file against what it
> >has downloaded, in addition to verifying the PGP fingerprint.
>
>
> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
> binaries should be signed.
>
Ok, got it.
> I don't quite understand the connection between the poudriere run and the
> announcement email. Could you please elaborate on this? Just downloading
> something from the website isn't secure either.
>
The only correlation there is a link to a web page containing PGP-signed
checksum files (for the ISOs).
This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is
poudriere could fetch the base.txz file, fetch the signed checksum (of
the MANIFEST), and compare it against something like this:
https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc
Hopefully that makes it a bit more clear on what I meant.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkgbase/attachments/20160629/2d44f168/attachment.sig>
More information about the freebsd-pkgbase
mailing list