Signatures
Karl Vogel
vogelke at pobox.com
Sat Dec 31 04:40:56 UTC 2016
>> On Fri, Dec 30, 2016 at 05:40:32PM +1100, Felix Friedlander wrote:
> To the best of my knowledge, FreeBSD ISO images are not signed.
> You can verify their integrity (to a degree) using the checksums [...]
> The only "official" PGP key for the project (as far as I'm aware) belongs
> to the security officer, and is used for signing security advisories.
Would the security officer be willing to sign a file containing the
hashes? It should be pretty easy to automate, and that approach made
me more confident about using some Google Code stuff.
Making the hash list:
me% sha1sum a.iso b.iso c.iso > list.sha
me% gpg2 -sa -u 0xSOME_KEY_HERE --batch --clearsign list.sha
me% rm list.sha
me% cat list.sha.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
4108f1183f0816fc0074011da4cf7a45b231b728 a.iso
a7a50013af0e4a0605608d1733390bb809ec1c1a b.iso
99d2dcca01881f277152bdbaa5adc46f8951bcfc c.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAG yadda yadda yadda yadda yadda yadda ...
=qMgx
-----END PGP SIGNATURE-----
Verifying it:
me% gpg2 --verify list.sha.asc
gpg: Signature made Fri Dec 30 23:29:35 2016 EDT using RSA key ID xxxxxxxx
gpg: Good signature from "(Signing key)" [ultimate]
--
Karl Vogel I don't speak for the USAF or my company
Crack-crazed squirrels terrorize New York
--National Examiner article, 28 Nov 2005
More information about the freebsd-questions
mailing list