Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Jan 2020 20:00:07 +0000
From:      Nathan Dorfman <na@rtfm.net>
To:        freebsd-security@freebsd.org
Subject:   Cryptographic signatures of installer sets
Message-ID:  <20200125200007.GA11@rtfm.net>

next in thread | raw e-mail | index | archive | help
Hello all,

I really hope I'm missing something here, and we can all have a nice
chuckle at my expense.

But I can't see any way the integrity of the installer sets (base.txz,
kernel.txz and friends) can be verified cryptographically? There is a
MANIFEST file containing SHA256 checksums, but it itself does not appear
to be signed in any way.

The installer images do come with PGP-signed checksums. So, when using
an image that already contains all the sets, one can be sure they are
authentic. What happens when one uses a network-only installer, though?
How can it authenticate the sets it downloads from the user's chosen
mirror?

A cursory glance at src/usr.sbin/bsdinstall suggests that it does not,
in fact, do that. Checksums are compared against the MANIFEST (in
scripts/checksum), but that is itself simply downloaded from the same
mirror (in scripts/jail), usually over plain FTP, without any
authentication.

Thanks,
-nd.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200125200007.GA11>