From owner-freebsd-security@freebsd.org Sat Jan 25 20:00:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 11D951F8E61 for ; Sat, 25 Jan 2020 20:00:11 +0000 (UTC) (envelope-from na@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 484n156mmNz41hm for ; Sat, 25 Jan 2020 20:00:09 +0000 (UTC) (envelope-from na@rtfm.net) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id 08F07B400B1 for ; Sat, 25 Jan 2020 12:00:09 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id D06FE86E; Sat, 25 Jan 2020 12:00:08 -0800 (PST) Date: Sat, 25 Jan 2020 20:00:07 +0000 From: Nathan Dorfman To: freebsd-security@freebsd.org Subject: Cryptographic signatures of installer sets Message-ID: <20200125200007.GA11@rtfm.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 484n156mmNz41hm X-Spamd-Bar: ++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of na@rtfm.net designates 208.113.157.50 as permitted sender) smtp.mailfrom=na@rtfm.net X-Spamd-Result: default: False [6.03 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:208.113.157.50]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RBL_MAILSPIKE_WORST(2.00)[50.157.113.208.rep.mailspike.net : 127.0.0.10]; RCPT_COUNT_ONE(0.00)[1]; BAD_REP_POLICIES(0.10)[]; NEURAL_SPAM_MEDIUM(1.00)[0.996,0]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000,0]; DMARC_NA(0.00)[rtfm.net]; IP_SCORE(2.03)[ip: (9.38), asn: 26347(0.84), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[]; GREYLIST(0.00)[pass,body]; RCVD_COUNT_TWO(0.00)[2] X-Spam: Yes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2020 20:00:11 -0000 Hello all, I really hope I'm missing something here, and we can all have a nice chuckle at my expense. But I can't see any way the integrity of the installer sets (base.txz, kernel.txz and friends) can be verified cryptographically? There is a MANIFEST file containing SHA256 checksums, but it itself does not appear to be signed in any way. The installer images do come with PGP-signed checksums. So, when using an image that already contains all the sets, one can be sure they are authentic. What happens when one uses a network-only installer, though? How can it authenticate the sets it downloads from the user's chosen mirror? A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, in fact, do that. Checksums are compared against the MANIFEST (in scripts/checksum), but that is itself simply downloaded from the same mirror (in scripts/jail), usually over plain FTP, without any authentication. Thanks, -nd.