Cryptographic signatures of installer sets

Glen Barber gjb at freebsd.org
Mon Feb 3 13:57:14 UTC 2020 

On Sat, Feb 01, 2020 at 11:34:20PM +0000, Nathan Dorfman wrote:
> On Thu, Jan 30, 2020 at 01:22:39PM +0000, Glen Barber wrote:
> > I honestly wasn't aware there was a jail subcommand to bsdinstall.
> > I think, rather than creating /usr/freebsd-dist on the host system, we
> > should instead check if the misc/freebsd-release-manifests package is
> > installed and bail if it does not.  This package contains the MANIFEST
> > files from past releases (and in-progress releases, including BETA and
> > RC builds).
> > 
> > Does that seem like a reasonable solution?
> 
> Well, that only works for actual releases. The one from the installation
> medium would work in all cases, such as if one installs a snapshot, or a
> custom build. It would have to be kept up to date by freebsd-update,
> though.
> 

There are three problems here.

First, if one installs from a snapshot, the MANIFEST file would only be
valid until the next snapshot build.

The second and third problems are somewhat related: the various
distribution sets (base.txz, lib32.txz, etc.) are not updated with each
patch release.  (I have been pondering the "right way(tm)" to do this
for some time, but that is more or less orthogonal to the real problem
at hand here.)  The other issue is freebsd-update(8) does not work with
snapshot builds (from stable/X or head).

But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail,
then invoke freebsd-update(8) with the '-b' flag to the jail location.

> Also, you would need to add logic to select the correct manifest from
> the ones in the package, whereas one from the initial install (and
> freebsd-update) would be the only one. That could be as simple as
> stripping the -p123 suffixes from `uname -r`, but why?
> 

I have a patch locally to just this, but I haven't committed it yet
because I am not entirely fond of the approach, and want to think about
it a bit more.

> FWIW, the /usr/freebsd-dist location can be overridden by setting
> $BSDINSTALL_DISTDIR, but the checksum script[1] will expect to find the
> manifest and sets in the same directory regardless.
> 

The patch I have at the moment looks for the MANIFEST (rather, the
<arch>-<target_arch>-<X.Y-RELEASE>) file in the location they are
installed by the misc/freebsd-release-manifests package.

Glen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200203/511e00e9/attachment.sig>

More information about the freebsd-security mailing list