Are signatures of system images verified?
Glen Barber
gjb at FreeBSD.org
Wed Jun 29 23:46:46 UTC 2016
On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote:
> On 6/29/2016 4:03 PM, Glen Barber wrote:
> > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> >> On 06/29/2016 14:59, Glen Barber wrote:
> >>> If I understand what you mean correctly, that would imply poudriere is
> >>> responsible for the contents of base.txz, which it is not. I think the
> >>> better solution (if I understood correctly) is RE needs to PGP-sign the
> >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >>> it in the announcement email for the release, as well as on the website.
> >>>
> >>> Please correct me if I did misunderstand.
> >>>
> >>> This way, poudriere could verify the hash of the file against what it
> >>> has downloaded, in addition to verifying the PGP fingerprint.
> >>
>
> FYI since Poudriere 3.1.11, it has compared the checksums in the
> MANIFEST against the downloaded packages. It also now uses
> https://download.freebsd.org by default. It requires
> security/ca_root_nss. I thought I had forced that dependency but it was
> missing. It is added now.
>
Ah, great, thank you. To those interested, the MANIFEST files included
were obtained in a secure manner, i.e., bootonly.iso was downloaded and
extracted after the checksum was compared to the PGP-signed email.
> Around that time (January 2016), Colin Percival has been maintaining a
> copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
> installed with Poudriere and used during jail -c after fetching if
> available, so that relying on https isn't required. These were missing
> for ports-mgmt/poudriere-devel until just now. I've moved them to
> misc/freebsd-release-manifests and made both ports depend on it.
>
I completely forgot about this. Thank you.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkgbase/attachments/20160629/79cd9a93/attachment.sig>
More information about the freebsd-pkgbase
mailing list