Cryptografically signed ISO images
A.J. Kehoe IV (Nanoman)
nanoman at nanoman.ca
Mon Mar 3 19:33:46 UTC 2014
RW wrote:
>On Mon, 3 Mar 2014 19:31:52 +0200
>Reko Turja wrote:
>
>> -----Original Message-----
>> From: RW
>>
>> On Mon, 3 Mar 2014 10:21:46 -0600 (CST)
>> Valeri Galtsev wrote:
>>
>> >> Yes, but: if you verified the certificate of https host, you can be
>> >> sure that ftp on the same IP address is owned by the same people.
>>
>> > The IP addresses of www.freebsd.org and ftp.freebsd.org are
>> > different, but even if they weren't that wouldn't protect against
>> > man-in-the-middle attacks.
>>
>> Hmm, grab the sha256 checksum of iso image from
>> https://freebsd.org -address. Compare the said checksum to the
>> downloaded image. The certainty that the image isn't tampered with
>> should be strong enough.
>
>We're going in circles.
>
>If such HTTPS checksum links exist, they are not obvious. The main ISO
>links on the "Getting FreeBSD" page go to FTP, the HTTP links on the
>mirrors page don't appear to support HTTPS.
On the "Getting FreeBSD" page, I think it would be a great idea to add a copy of the PGP signed RELEASE announcements (https://lists.freebsd.org/pipermail/freebsd-announce/2014-January/001532.html), and to have them available for download via HTTPS. You should suggest something like this by sending a PR:
https://www.freebsd.org/send-pr.html
--
A.J. Kehoe IV (Nanoman) | /"\ ASCII Ribbon Campaign
Nanoman's Company | \ / - No HTML/RTF in E-mail
E-mail: nanoman at nanoman.ca | X - No proprietary attachments
WWW: http://www.nanoman.ca/ | / \ - Respect for open standards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3924 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140303/18063d66/attachment.bin>
More information about the freebsd-questions
mailing list