Karl Vogel vogelke at
Sat Dec 31 04:40:56 UTC 2016

>> On Fri, Dec 30, 2016 at 05:40:32PM +1100, Felix Friedlander wrote:

> To the best of my knowledge, FreeBSD ISO images are not signed.
> You can verify their integrity (to a degree) using the checksums [...]
> The only "official" PGP key for the project (as far as I'm aware) belongs
> to the security officer, and is used for signing security advisories.

  Would the security officer be willing to sign a file containing the
  hashes?  It should be pretty easy to automate, and that approach made
  me more confident about using some Google Code stuff.

  Making the hash list:

    me% sha1sum a.iso b.iso c.iso > list.sha
    me% gpg2 -sa -u 0xSOME_KEY_HERE --batch --clearsign list.sha
    me% rm list.sha

    me% cat list.sha.asc
    Hash: SHA256

    4108f1183f0816fc0074011da4cf7a45b231b728  a.iso
    a7a50013af0e4a0605608d1733390bb809ec1c1a  b.iso
    99d2dcca01881f277152bdbaa5adc46f8951bcfc  c.iso
    Version: GnuPG v2

    iQIcBAEBCAAG yadda yadda yadda yadda yadda yadda ...
    -----END PGP SIGNATURE-----

  Verifying it:

    me% gpg2 --verify list.sha.asc
    gpg: Signature made Fri Dec 30 23:29:35 2016 EDT using RSA key ID xxxxxxxx
    gpg: Good signature from "(Signing key)" [ultimate]

Karl Vogel                      I don't speak for the USAF or my company

Crack-crazed squirrels terrorize New York
                            --National Examiner article, 28 Nov 2005

More information about the freebsd-questions mailing list