From owner-freebsd-security@FreeBSD.ORG  Thu Mar 18 18:20:03 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 90C0C1065670
	for <freebsd-security@freebsd.org>;
	Thu, 18 Mar 2010 18:20:03 +0000 (UTC)
	(envelope-from elmstel@gmail.com)
Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 24A3C8FC14
	for <freebsd-security@freebsd.org>;
	Thu, 18 Mar 2010 18:20:02 +0000 (UTC)
Received: by wwb18 with SMTP id 18so1358887wwb.13
	for <freebsd-security@freebsd.org>;
	Thu, 18 Mar 2010 11:20:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:subject:content-type
	:content-transfer-encoding;
	bh=EUUYaZ2k0vijk6OMx6oUC0J9Yth5RbA0kpc6eV7VNX4=;
	b=QZpN1696Dtj28CpxByOTRwHqQzcDvNOQmasTSTe9CBl29F3B1yNzxmoUt70RIQzG5M
	0C3Lcx26yEBs5s8GZicz9fX2TKxQTZaJs9FOK7AJ1nIq/KK+MT3I6UCF1dLxBN5uXzGG
	C/KdorL0vZLLjnFxwzLuQOm6iN7LlVEefTkUA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=qsCZGNJcraZkZ7eguMLfmAJoQJPSHuQQ77lm3oUASiUmGapYMF5XI5lMtVSs9J1WuZ
	f1ePI5vgVRF4GGkzuaNIVsnXu46bO0MpVCp95jB5+y+I18QX8qyxmIJvQ+TbJh5U7B2n
	p7phLXbtS4tcV23SuJq21veU9/bcApEaOf7hg=
Received: by 10.216.180.141 with SMTP id j13mr1710792wem.227.1268936401842;
	Thu, 18 Mar 2010 11:20:01 -0700 (PDT)
Received: from scaleo.studiob (91-115-212-10.adsl.highway.telekom.at
	[91.115.212.10])
	by mx.google.com with ESMTPS id p10sm579927gvf.22.2010.03.18.11.19.59
	(version=SSLv3 cipher=RC4-MD5); Thu, 18 Mar 2010 11:20:00 -0700 (PDT)
Message-ID: <4BA27CDF.1040107@gmail.com>
Date: Thu, 18 Mar 2010 19:19:59 +0000
From: Elmar Stellnberger <elmstel@gmail.com>
User-Agent: Thunderbird 2.0.0.18 (X11/20081220)
MIME-Version: 1.0
To: freebsd-security@freebsd.org, m@micheas.net
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 18 Mar 2010 18:25:40 +0000
Cc: 
Subject: Re: online cheksum verification for FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2010 18:20:03 -0000


Unfortunately pkg_check&sign do not seem to exist any more:

from 8.0 relnotes: "The pkg_sign and pkg_check utilities for 
cryptographically signing FreeBSD packages have been removed.  They were 
only useful for packages compressed using gzip(1); however bzip2(1) 
compression has been the norm for some time now.

Besides this I would need pkg_sign to take the checksums from the 
respective .tbz instead of the local file system.
" For   sha1, it checksums the file and verifies that the result matches 
the list of checksums recorded in   /var/db/pkg/SHA1."

Moreover I would need a script that just downloads the package headers; 
not the whole packages
because otherwise the check procedure would last aeons.

I thought there was a version of bzip2 that did signing/encrypting but 
guess not ... in any case it is not what freebsd uses

That way it seemes to me as the easiest viable way to simply provide 
external checksum lists as the package management depeers a proper 
checksum handling. Such lists do already exist for Windows and OSX. That 
way we would not even need a new tool; just checksum lists the user can 
verify himself. For Linux on the other hand cheksums are provided by the 
package headers so that we do not need separate checksum lists.

 >
 > You can download the packages from:
 >        
 > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/
 >        
 > and run pkg_check You might be able to extract the signature
 > from the package.
 >        
 > The packages themselves are signed. There is no separate
 > signature file. /etc/ssl/pkg.crt is the location of the public
 > key for the packages.
 >        


P.S.: Sorry for my late reply
I must have overlloked your message as I have not been subscribed to 
freebsd-security.

From owner-freebsd-security@FreeBSD.ORG  Fri Mar 19 19:06:07 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CE4EA106566B
	for <freebsd-security@freebsd.org>;
	Fri, 19 Mar 2010 19:06:07 +0000 (UTC)
	(envelope-from remko@elvandar.org)
Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [78.46.126.30])
	by mx1.freebsd.org (Postfix) with ESMTP id 8EABF8FC15
	for <freebsd-security@freebsd.org>;
	Fri, 19 Mar 2010 19:06:07 +0000 (UTC)
Received: from websrv01.jr-hosting.nl (websrv01 [78.47.69.233])
	by mailgate.jr-hosting.nl (Postfix) with ESMTP id B10E51CC34;
	Fri, 19 Mar 2010 20:06:05 +0100 (CET)
Received: from a83-163-38-147.adsl.xs4all.nl ([83.163.38.147]
	helo=axantucar.elvandar.int)
	by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.71 (FreeBSD)) (envelope-from <remko@elvandar.org>)
	id 1NshWH-000OHc-Is; Fri, 19 Mar 2010 20:06:05 +0100
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: Remko Lodder <remko@elvandar.org>
In-Reply-To: <4BA27CDF.1040107@gmail.com>
Date: Fri, 19 Mar 2010 20:06:04 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <732ACA06-A9E1-4B3A-A942-A379FF371CC9@elvandar.org>
References: <4BA27CDF.1040107@gmail.com>
To: Elmar Stellnberger <elmstel@gmail.com>
X-Mailer: Apple Mail (2.1077)
Cc: freebsd-security@freebsd.org, m@micheas.net
Subject: Re: online cheksum verification for FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 19:06:07 -0000


On Mar 18, 2010, at 8:19 PM, Elmar Stellnberger wrote:
>=20

One can donate funds to the FreeBSD Foundation and submit a proposal to =
get this included.
Since we are all volunteers this might be something that isn't going to =
see the light soon.
You could ofcourse install something like tripwire and get a baseline =
from a trusted CD (you can
verify the ISO Files that we deliver) and use that to build your system.

Thanks,
Remko
(Speaking for myself)

--=20
/"\   Best regards,                        | remko@FreeBSD.org
\ /   Remko Lodder                      | remko@EFnet
X    http://www.evilcoder.org/    |
/ \   ASCII Ribbon Campaign    | Against HTML Mail and News