Cryptographic signatures of installer sets
Nathan Dorfman
ndorf at rtfm.net
Tue Feb 11 23:31:42 UTC 2020
Sorry for my delayed response.
On Mon, Feb 03, 2020 at 01:57:10PM +0000, Glen Barber wrote:
> First, if one installs from a snapshot, the MANIFEST file would only be
> valid until the next snapshot build.
>
> The second and third problems are somewhat related: the various
> distribution sets (base.txz, lib32.txz, etc.) are not updated with each
> patch release. (I have been pondering the "right way(tm)" to do this
> for some time, but that is more or less orthogonal to the real problem
> at hand here.) The other issue is freebsd-update(8) does not work with
> snapshot builds (from stable/X or head).
Oops. I hadn't realized freebsd-update, with the -r option, couldn't be
used to upgrade to the next snapshot. Since that is the case, it seems
fine to support -RELEASEs only.
> But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail,
> then invoke freebsd-update(8) with the '-b' flag to the jail location.
Right, and this is no different than the current situation.
> The patch I have at the moment looks for the MANIFEST (rather, the
> <arch>-<target_arch>-<X.Y-RELEASE>) file in the location they are
> installed by the misc/freebsd-release-manifests package.
This seems reasonable, but I think the checksum script is also used by
the system installer (not just the jail setup script).
Have you considered the possibility of simply publishing a detached
signature with every MANIFEST, in a similar manner to what is done for
the installer images?
Those use PGP, requiring the gnupg package to verify, but OpenSSL could
also be used.
-nd.
More information about the freebsd-security
mailing list