Date: Sat, 25 Jan 2020 20:00:07 +0000 From: Nathan Dorfman <na@rtfm.net> To: freebsd-security@freebsd.org Subject: Cryptographic signatures of installer sets Message-ID: <20200125200007.GA11@rtfm.net>
next in thread | raw e-mail | index | archive | help
Hello all, I really hope I'm missing something here, and we can all have a nice chuckle at my expense. But I can't see any way the integrity of the installer sets (base.txz, kernel.txz and friends) can be verified cryptographically? There is a MANIFEST file containing SHA256 checksums, but it itself does not appear to be signed in any way. The installer images do come with PGP-signed checksums. So, when using an image that already contains all the sets, one can be sure they are authentic. What happens when one uses a network-only installer, though? How can it authenticate the sets it downloads from the user's chosen mirror? A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, in fact, do that. Checksums are compared against the MANIFEST (in scripts/checksum), but that is itself simply downloaded from the same mirror (in scripts/jail), usually over plain FTP, without any authentication. Thanks, -nd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200125200007.GA11>