From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:21:08 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43A45B869C2 for ; Wed, 29 Jun 2016 21:21:08 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1C38E2866 for ; Wed, 29 Jun 2016 21:21:07 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yuri.doctorlan.com (c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id u5TLL1bf046261 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 29 Jun 2016 14:21:01 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190] claimed to be yuri.doctorlan.com To: freebsd-pkgbase@freebsd.org From: Yuri Subject: Are signatures of system images verified? Message-ID: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> Date: Wed, 29 Jun 2016 14:21:00 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:21:08 -0000 Both system installer and poudriere jails take images from http://ftp.freebsd.org/pub/FreeBSD/releases/ But I can't see that there is a signature anywhere there that is verified during the download. For example, pkg(8) uses the key fingerprint /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads. This is the only file under /usr/share/keys/ Does this mean that system images aren't verified and MITM is possible, or I am missing something? Yuri From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:32:53 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F3FAB86C38 for ; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 6B8652E02; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 2AD041299; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 21:32:52 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@freebsd.org Subject: Re: Are signatures of system images verified? Message-ID: <20160629213252.GI1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gJNQRAHI5jiYqw2y" Content-Disposition: inline In-Reply-To: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:32:53 -0000 --gJNQRAHI5jiYqw2y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 02:21:00PM -0700, Yuri wrote: > Both system installer and poudriere jails take images from > http://ftp.freebsd.org/pub/FreeBSD/releases/ >=20 > But I can't see that there is a signature anywhere there that is verified > during the download. >=20 > For example, pkg(8) uses the key fingerprint > /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify download= s. > This is the only file under /usr/share/keys/ >=20 >=20 > Does this mean that system images aren't verified and MITM is possible, o= r I > am missing something? >=20 This is different than pkgbase, the base.txz and kernel.txz, etc., are not what would have been installed with pkg(8). When pkgbase is ready, yes, they will be signed. The MANIFEST for the base.txz is checked by bootonly.iso when installing (it has a local version of the file), so the security model here is: - bootonly.iso is downloaded, checksums compared to the PGP-signed email and the image is "good"; - bsdinstall(8) fetches the remote files, and compares their hashes against a known-good MANIFEST (it is part of its filesystem, /usr/freebsd-dist/). But you raise a good point, poudriere does not have a good way to validate the base.txz unless it also unpacks bootonly.iso (or any of the installer media) and compares the checksums. Glen --gJNQRAHI5jiYqw2y Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdD5/AAoJEAMUWKVHj+KTGfsP/jSXxJeCixq5D3Gw828xy0T+ Q4PkFdaSqai6RJklaY5vLPhOPIK/gl5vm+9IyMR3BYOQrPcG6fI+FfvFsa5uBjXL s8jAecuOK4NSJlEXYT4RFts+u+7/THTefoOmAnVxD7vAAGmxdvJyjxh0rc1UcYsn TalndYn3PPeA3wp8JOq7RX/n97vQLjuRSKPe9fjA8MteCSagEa93UagOVOLBcKnn 78hCpNF6T9QSd4tbS+XSbijwqeltR7HqXtYgYK7bwG3Zy3+32/3phTiRVpMw6KLL LDHdgontDVYnM3SgcXCocC0SeJRYnZcgwvfeuDXsBzJaDl0qYqayiqtw6d0wt4a9 SHI/jRK18mSb8CKR0XiNkeZyZXQEESGOVwmYfMq9so9KC2G0yTktOk7Ez8AgUH0C S6LwdvQ9Z9iWSyGuamIiQRjFpj4SYEgxFRLqa7plhelYtIoC+G+U4biaRNyOlvxa jny/kyu9ZhrGFPhX0EAToyzgXDGicAXPGxns6XIKQpoB62+wzfung6Plg5ZpTZ1n u6IBETHsk3rlNs7opPPCrYO45gBZwmCbAiDsOdGRuQEvWMPs8EUKM4Z9USQg4KLM W7jNNU7BQEc6GpJN5UoJtXgQeC9PL2k4kIiRu4i14ZJh7rcWgyXjG9fkyj5oruZ6 4EGNJuVdcdHb7GV332XA =6ArQ -----END PGP SIGNATURE----- --gJNQRAHI5jiYqw2y-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:46:32 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00096B86263 for ; Wed, 29 Jun 2016 21:46:31 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id E0CEE24DC; Wed, 29 Jun 2016 21:46:28 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yuri.doctorlan.com (c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id u5TLkSjY049921 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 29 Jun 2016 14:46:28 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190] claimed to be yuri.doctorlan.com Subject: Re: Are signatures of system images verified? To: Glen Barber References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org From: Yuri Message-ID: <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> Date: Wed, 29 Jun 2016 14:46:26 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160629213252.GI1453@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:46:32 -0000 On 06/29/2016 14:32, Glen Barber wrote: > But you raise a good point, poudriere does not have a good way to > validate the base.txz unless it also unpacks bootonly.iso (or any of the > installer media) and compares the checksums. The possible solution is that poudriere should supply a public key as a part of the package, and all binaries that it downloads are also signed with the corresponding private key. Yuri From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:59:46 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE31CB86619 for ; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BF41E2A3A; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 7E9A0173B; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 21:59:44 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@FreeBSD.org Subject: Re: Are signatures of system images verified? Message-ID: <20160629215944.GJ1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bgQAstJ9X1Eg13Dy" Content-Disposition: inline In-Reply-To: <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:59:46 -0000 --bgQAstJ9X1Eg13Dy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 02:46:26PM -0700, Yuri wrote: > On 06/29/2016 14:32, Glen Barber wrote: > >But you raise a good point, poudriere does not have a good way to > >validate the base.txz unless it also unpacks bootonly.iso (or any of the > >installer media) and compares the checksums. >=20 >=20 > The possible solution is that poudriere should supply a public key as a p= art > of the package, and all binaries that it downloads are also signed with t= he > corresponding private key. >=20 If I understand what you mean correctly, that would imply poudriere is responsible for the contents of base.txz, which it is not. I think the better solution (if I understood correctly) is RE needs to PGP-sign the releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include it in the announcement email for the release, as well as on the website. Please correct me if I did misunderstand. This way, poudriere could verify the hash of the file against what it has downloaded, in addition to verifying the PGP fingerprint. Glen --bgQAstJ9X1Eg13Dy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdETQAAoJEAMUWKVHj+KTBvcP/1zXcb3I/WeZf7fBdYGomnX7 ydjW2Rbp5CkH/8KZgo4aCs6FgyPammrM5ZMByZH4hKbJtTPxiwCTYvVhCckG7FNk TqLiWsAz2dIaBF+Qmka1K1ceWgitwJg1WUWsQAQkFlpqrWVFO7xoVkZbd4Qn6EEH 8CyEN6rTvG4RVNFnPz/Y/wE09evMI6DKR7EXwIKVo+cEgQS4Bs0kr5zFuL+9G68d ASl4ls2MbUKPpXkZT72JpdEGaifmWC+O6e9S5vVYJUz7jUkrOr+igO5lcVpnh3AJ 3RwmrGAb2c9HZRzPNt31vsTEf2wRejoJ6hfeoAOU8+0Xmo7G/VsQFGrS7K216LRn DQXZGbPgNvWt4Qmw6obSo7iBk+g3Cd8h98H3JgK89dd8MKTSW0jt9VOXI5LfDtYK b1NMZJEiQv54Y/jTL+T2bFTNfS0+RcDtRnuqc75ClEOXz5Hihs49tfJLPFF4LaqL tZv0XYOLDBP9pc1zQUPjtuH48OrwA+7GgiAe6vBrWeibE+XT4N+b3Eofo2J2pChg Ndr22+C8CRcqseJBpPxWo4HL3gH42La4UgFhxhniucZ8PjH1U/1rnPCi6jM1kpRF WmItOC5DRei5Fb8BHQT0Ki+VdD9aS+I39Hpa2akoXOha/fM8S34VC05nC+l+CExk /DEVPrC8ff0YQThUVAvx =/5m8 -----END PGP SIGNATURE----- --bgQAstJ9X1Eg13Dy-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 22:22:35 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5ED1FB86BEB for ; Wed, 29 Jun 2016 22:22:35 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4A9BF26D5; Wed, 29 Jun 2016 22:22:34 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yuri.doctorlan.com (c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id u5TMMYNN054855 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 29 Jun 2016 15:22:34 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-5-143-190.hsd1.ca.comcast.net [24.5.143.190] claimed to be yuri.doctorlan.com Subject: Re: Are signatures of system images verified? To: Glen Barber References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org From: Yuri Message-ID: <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> Date: Wed, 29 Jun 2016 15:22:33 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160629215944.GJ1453@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 22:22:35 -0000 On 06/29/2016 14:59, Glen Barber wrote: > If I understand what you mean correctly, that would imply poudriere is > responsible for the contents of base.txz, which it is not. I think the > better solution (if I understood correctly) is RE needs to PGP-sign the > releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include > it in the announcement email for the release, as well as on the website. > > Please correct me if I did misunderstand. > > This way, poudriere could verify the hash of the file against what it > has downloaded, in addition to verifying the PGP fingerprint. Yes, only MANIFEST should be signed, I made a mistake suggesting that all binaries should be signed. I don't quite understand the connection between the poudriere run and the announcement email. Could you please elaborate on this? Just downloading something from the website isn't secure either. Thank you, Yuri From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:03:28 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39DDDB86791 for ; Wed, 29 Jun 2016 23:03:28 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 299F628B6; Wed, 29 Jun 2016 23:03:28 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id D0CB71351; Wed, 29 Jun 2016 23:03:27 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 23:03:24 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@FreeBSD.org, Bryan Drewery Subject: Re: Are signatures of system images verified? Message-ID: <20160629230324.GL1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xb8pJpF45Qg/t7GZ" Content-Disposition: inline In-Reply-To: <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:03:28 -0000 --Xb8pJpF45Qg/t7GZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: > On 06/29/2016 14:59, Glen Barber wrote: > >If I understand what you mean correctly, that would imply poudriere is > >responsible for the contents of base.txz, which it is not. I think the > >better solution (if I understood correctly) is RE needs to PGP-sign the > >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include > >it in the announcement email for the release, as well as on the website. > > > >Please correct me if I did misunderstand. > > > >This way, poudriere could verify the hash of the file against what it > >has downloaded, in addition to verifying the PGP fingerprint. >=20 >=20 > Yes, only MANIFEST should be signed, I made a mistake suggesting that all > binaries should be signed. >=20 Ok, got it. > I don't quite understand the connection between the poudriere run and the > announcement email. Could you please elaborate on this? Just downloading > something from the website isn't secure either. >=20 The only correlation there is a link to a web page containing PGP-signed checksum files (for the ISOs). This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is poudriere could fetch the base.txz file, fetch the signed checksum (of the MANIFEST), and compare it against something like this: https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE= -amd64.asc Hopefully that makes it a bit more clear on what I meant. Glen --Xb8pJpF45Qg/t7GZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdFO8AAoJEAMUWKVHj+KTXewP/0CQ/xagu9M6P9jwZVxakD0n oOR7JRtrSlFuxx6U/kSJai3KLJr8585C3RJ1jnIKp0RKLPe6PEkpm1OVNTlBTSUE gBg1TcJRxRnJ/1AVALso2c3omrZD/H+Xtu2fmrDW+TDZ6C7ezbw/PhHv7UUedLhU pzdhn82AboE6gH5PMQ+8b5ePuZhfk1ZUzdOFKJJJ7Wnk/MrnnadcF+ax3GuB9z71 UK/yfr1PuVwcvPMxRwCpqdBrEXDocJjjpYU8+Tb59zgPlZD/aw2JO7yr+sdwJHY4 6/JfClMzA3e9W2CEhV36Hv8M8kvQ9pGk1os+bDZUEonlCDOMSQNwNXO/EgKq4qe5 h4TJNtQdqCELdylQGmQljE/O0wCcAUvq1KjZp2qVJJuH5+bd75aeq61lm/xhtiuC SFsnXyon+jSngfuPjGjv0+6WfsblKLrMfeOUi0f2NttgfOFqmht+K6EST/LSYFku J9zt+Gy8HLdrx+V7yqvVMGgEvMwF7Dyr8wPYMAYdBjOTHeUgkuyEQm4neJIc2879 5ytTubrIvcWdU+qJ4c4sjcHSIDwmLIuIhCJ0pDUAeyv2Vq+oIUuYACbfrMYTTj8Q YJCpgVjzdpRf9CywSyY9AY9Ogra/m4ZHtglZUTenVDesPhdA2Jccs6qTHh91DHsb m3yK4oZ1M13+UubM1u7K =LnmI -----END PGP SIGNATURE----- --Xb8pJpF45Qg/t7GZ-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:38:11 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84489B86E86 for ; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 697672643; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 5D96C19DC; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 13F56233C4; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id NP41OCoicLza; Wed, 29 Jun 2016 23:38:07 +0000 (UTC) Subject: Re: Are signatures of system images verified? DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 25A5B233BE To: Yuri References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Date: Wed, 29 Jun 2016 16:38:05 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160629230324.GL1453@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm" X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:38:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm Content-Type: multipart/mixed; boundary="3BHgQsWXAh48bf0dxpPtoouLun31ngj31" From: Bryan Drewery To: Yuri Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Subject: Re: Are signatures of system images verified? References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> In-Reply-To: <20160629230324.GL1453@FreeBSD.org> --3BHgQsWXAh48bf0dxpPtoouLun31ngj31 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 6/29/2016 4:03 PM, Glen Barber wrote: > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: >> On 06/29/2016 14:59, Glen Barber wrote: >>> If I understand what you mean correctly, that would imply poudriere i= s >>> responsible for the contents of base.txz, which it is not. I think t= he >>> better solution (if I understood correctly) is RE needs to PGP-sign t= he >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and incl= ude >>> it in the announcement email for the release, as well as on the websi= te. >>> >>> Please correct me if I did misunderstand. >>> >>> This way, poudriere could verify the hash of the file against what it= >>> has downloaded, in addition to verifying the PGP fingerprint. >> FYI since Poudriere 3.1.11, it has compared the checksums in the MANIFEST against the downloaded packages. It also now uses https://download.freebsd.org by default. It requires security/ca_root_nss. I thought I had forced that dependency but it was missing. It is added now. Around that time (January 2016), Colin Percival has been maintaining a copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get installed with Poudriere and used during jail -c after fetching if available, so that relying on https isn't required. These were missing for ports-mgmt/poudriere-devel until just now. I've moved them to misc/freebsd-release-manifests and made both ports depend on it. >> >> Yes, only MANIFEST should be signed, I made a mistake suggesting that = all >> binaries should be signed. >> >=20 > Ok, got it. >=20 >> I don't quite understand the connection between the poudriere run and = the >> announcement email. Could you please elaborate on this? Just downloadi= ng >> something from the website isn't secure either. >> >=20 > The only correlation there is a link to a web page containing PGP-signe= d > checksum files (for the ISOs). >=20 > This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is= > poudriere could fetch the base.txz file, fetch the signed checksum (of > the MANIFEST), and compare it against something like this: >=20 > https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-REL= EASE-amd64.asc >=20 > Hopefully that makes it a bit more clear on what I meant. >=20 > Glen >=20 --=20 Regards, Bryan Drewery --3BHgQsWXAh48bf0dxpPtoouLun31ngj31-- --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJXdFvdAAoJEDXXcbtuRpfPEXgIAJpBrrLp1YG6VKmWhACfn6wz IWdo4GPMLWhDUMi0xR1YRkfXAhADV7qC3520xhC8eiDZT7uOI5vJo/H07mvGnCes yIMKocryDqR0gT5rDN76cl1wCfTMBJ+KnGUNGxYT6epxZT37O6yDEYGU02ihHRWL 59J/opqh8t1D0O/rGps8MRU63XrktHTQb28tvRlnKKqHv0f5UPrsGmgAkgRGUz/S PiMfFxZAdWgr2rG42rYaS3FJ0cNasjLUPr9GU2+zDtFXHjRDzHL54VWl77igUXtf eYKicgs0aR0QmTM9IJh9/xCpPJpyW8wI//MkpwIqaOy2J1TWpY3pb1DhWt8Y3wo= =Ksyx -----END PGP SIGNATURE----- --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:46:46 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD0C2B87020 for ; Wed, 29 Jun 2016 23:46:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id AAE8D28F9; Wed, 29 Jun 2016 23:46:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 572C51A9F; Wed, 29 Jun 2016 23:46:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 23:46:45 +0000 From: Glen Barber To: Bryan Drewery Cc: Yuri , freebsd-pkgbase@FreeBSD.org, Colin Percival Subject: Re: Are signatures of system images verified? Message-ID: <20160629234645.GO1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="m46qSNjkc66Ye11q" Content-Disposition: inline In-Reply-To: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:46:46 -0000 --m46qSNjkc66Ye11q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote: > On 6/29/2016 4:03 PM, Glen Barber wrote: > > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: > >> On 06/29/2016 14:59, Glen Barber wrote: > >>> If I understand what you mean correctly, that would imply poudriere is > >>> responsible for the contents of base.txz, which it is not. I think t= he > >>> better solution (if I understood correctly) is RE needs to PGP-sign t= he > >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and incl= ude > >>> it in the announcement email for the release, as well as on the websi= te. > >>> > >>> Please correct me if I did misunderstand. > >>> > >>> This way, poudriere could verify the hash of the file against what it > >>> has downloaded, in addition to verifying the PGP fingerprint. > >> >=20 > FYI since Poudriere 3.1.11, it has compared the checksums in the > MANIFEST against the downloaded packages. It also now uses > https://download.freebsd.org by default. It requires > security/ca_root_nss. I thought I had forced that dependency but it was > missing. It is added now. >=20 Ah, great, thank you. To those interested, the MANIFEST files included were obtained in a secure manner, i.e., bootonly.iso was downloaded and extracted after the checksum was compared to the PGP-signed email. > Around that time (January 2016), Colin Percival has been maintaining a > copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get > installed with Poudriere and used during jail -c after fetching if > available, so that relying on https isn't required. These were missing > for ports-mgmt/poudriere-devel until just now. I've moved them to > misc/freebsd-release-manifests and made both ports depend on it. >=20 I completely forgot about this. Thank you. Glen --m46qSNjkc66Ye11q Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdF3fAAoJEAMUWKVHj+KTAH8P/1r+iznxNozl/b+Pvg1VGq2s 8mLMVFvsJxurFO0IyH9USbi/2kmQOYd2Cs3zldF5ogWnE8pHMLvlGW87NVHMotij qMEUmfBVGtowuy4YfVJTHGrC0tGu3kMntj2fqS8dwv7XhBtn50q5gbQhFNYPe9sS OuRExaCl56ECQ9WQ/yVRashJc7su+mPTO3AUNwOWBAXBMmdlmo6Q0DjmB7lWFQsz hHpTEayKn7nITpVtYpOj9G8YyJ0brNTpOzhAHT9W9vcHSdQ22VXwhvF35g1mHiMj CslfPVgLcUZnIwGOTTS2rc/e9yfefd+fg1gBR6eVzD72YQhbbiQUUoq2j3NvbV2o SgIR5PpcMT/z1wravlt1iVNpddMf9aW+H2edl3Z0aglX4sBTxisH0e/zUMB83+Js eVecHrrQIsl300vE0Jp8O6n4tqrTFXCJvSfIotu8lUaxZjkvSSObFHv6FSsigfpN DjOMTycoCkCIsuC55DG+2twndwo+z1dGJBfufpcudnqjiw8wo8/eIfjSZsaaWbig 8/ucRVCUCQx0CaRI0ml4MIokwI2dIuwP1EL4f1ty54rZcZA5RU7Dvxh0oWqsQkaj 3HLhuLzqE9dNTFgAKqgu7PWAKJhii2c1YNKyNPXBDX6iso7yIw+hETQOjOpM718S nNiPqBBPmNWE0DC6v4iK =7Nsj -----END PGP SIGNATURE----- --m46qSNjkc66Ye11q-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:48:42 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA73CB87048 for ; Wed, 29 Jun 2016 23:48:42 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A29E2291D; Wed, 29 Jun 2016 23:48:42 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 56EFB1AC2; Wed, 29 Jun 2016 23:48:42 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 23:48:41 +0000 From: Glen Barber To: Bryan Drewery Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival Subject: Re: Are signatures of system images verified? Message-ID: <20160629234841.GP1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> <20160629234645.GO1453@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EkxpYdHiqGHPYbUt" Content-Disposition: inline In-Reply-To: <20160629234645.GO1453@FreeBSD.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:48:42 -0000 --EkxpYdHiqGHPYbUt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 11:46:45PM +0000, Glen Barber wrote: > On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote: > > On 6/29/2016 4:03 PM, Glen Barber wrote: > > > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: > > >> On 06/29/2016 14:59, Glen Barber wrote: > > >>> If I understand what you mean correctly, that would imply poudriere= is > > >>> responsible for the contents of base.txz, which it is not. I think= the > > >>> better solution (if I understood correctly) is RE needs to PGP-sign= the > > >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and in= clude > > >>> it in the announcement email for the release, as well as on the web= site. > > >>> > > >>> Please correct me if I did misunderstand. > > >>> > > >>> This way, poudriere could verify the hash of the file against what = it > > >>> has downloaded, in addition to verifying the PGP fingerprint. > > >> > >=20 > > FYI since Poudriere 3.1.11, it has compared the checksums in the > > MANIFEST against the downloaded packages. It also now uses > > https://download.freebsd.org by default. It requires > > security/ca_root_nss. I thought I had forced that dependency but it was > > missing. It is added now. > >=20 >=20 > Ah, great, thank you. To those interested, the MANIFEST files included > were obtained in a secure manner, i.e., bootonly.iso was downloaded and > extracted after the checksum was compared to the PGP-signed email. >=20 Uhm, to lessen confusion, this last sentence... > > Around that time (January 2016), Colin Percival has been maintaining a > > copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get > > installed with Poudriere and used during jail -c after fetching if > > available, so that relying on https isn't required. These were missing > > for ports-mgmt/poudriere-devel until just now. I've moved them to > > misc/freebsd-release-manifests and made both ports depend on it. > >=20 >=20 > I completely forgot about this. Thank you. >=20 =2E.. should have been here. :( Glen --EkxpYdHiqGHPYbUt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdF5ZAAoJEAMUWKVHj+KTtcMP/ApeNIeaHhXQrTLBHZE8oeMr NV8W31fTHWA9FT3wvl3iGcSQ2xKfGgfxOw5OfsN46wdHmW5Mu9uO4rrK72XglSGN oIU16dXGVUgXlXtTcXSF7CF0InF2WIhzsGFT5t8Rw/NNdhuHtIE9bap3F46yLPSR MRu1DumRhUwuVXQyU+fWgSpXsO+06VverQbjP2LsUnD87yYmBRWKQ+HRD8OiR+mY /stIHgrFy2NLIDCwfVz4ejZpJplLgQMlbR2lLVShMBF4JGpEJvxzwggvB03DIYwZ RCq1fTSC2e9y+dcbcbxkdsenNQ8nk65n0Ju5BMftugnyE68aYiURXdCrhRdrktz5 r/bdcNAitWTQ1+T4GHzcv0ynU7PBd1fF/3XyKLvNgMSSDh0xWH0fQ7t4JCHc63OB eoOpHNK3mmdw8PPxIGKuBwUYc5WeO/qaNWHEr5uMxAjALqT1x38Utm88ORqDhoKU p9S/wBqYVGFadsDtKutsduHF2qMebEP/Y6DHmf36g5CXKGemJoQLZFQFArls/EMj ioVf2L8hkpcYn1vczgovZZjSzzT2U9ovcXWzJTwlm4a4SnSu5va+S+Uzj3/5x+ks zeMq89+8OEEjNz/gLKig7kbDlyjOES/1oYa35Z1GXs9eInmi5yWHA/mSY00QcqPY PIh21tGwixMM4Um16K2B =Nqwy -----END PGP SIGNATURE----- --EkxpYdHiqGHPYbUt-- From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:51:08 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AC74B8707C for ; Wed, 29 Jun 2016 23:51:08 +0000 (UTC) (envelope-from bounces+73574-3a9d-freebsd-pkgbase=freebsd.org@sendgrid.net) Received: from o1.l99.sendgrid.net (o1.l99.sendgrid.net [198.37.153.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 920BC29AB for ; Wed, 29 Jun 2016 23:51:06 +0000 (UTC) (envelope-from bounces+73574-3a9d-freebsd-pkgbase=freebsd.org@sendgrid.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=subject:to:references:cc:from:mime-version:in-reply-to:content-type:content-transfer-encoding; s=smtpapi; bh=LVEhe34MRQWDaD6WltqyYc3xiHs=; b=eHFPmYTy9UXmKrL3b5 JVRVCF46wvRjDYUX+ChXht4fWTM6vNC1MVGjC3YLAKSU5iAcLB203BWNL8szYUBh 4XBi1HO6GJNXK+udpbpoIDwWX/nXu6BNXKYmPF91rLXc19mE1VSs0CKABm6g+EcW yFU0zMPg5i2vka+L7f/Jgw1/s= Received: by filter0626p1mdw1.sendgrid.net with SMTP id filter0626p1mdw1.24311.57745EE045 2016-06-29 23:50:56.890488773 +0000 UTC Received: from mail.tarsnap.com (ec2-54-86-246-204.compute-1.amazonaws.com [54.86.246.204]) by ismtpd0005p1iad1.sendgrid.net (SG) with ESMTP id ZLS9BROwTYe-xcrT7UkXGw for ; Wed, 29 Jun 2016 23:50:56.872 +0000 (UTC) Received: (qmail 11077 invoked from network); 29 Jun 2016 23:50:09 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by ec2-107-20-205-189.compute-1.amazonaws.com with ESMTP; 29 Jun 2016 23:50:09 -0000 Received: (qmail 96623 invoked from network); 29 Jun 2016 23:50:55 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 29 Jun 2016 23:50:55 -0000 Subject: Re: Are signatures of system images verified? To: Bryan Drewery , Yuri References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org From: Colin Percival Message-ID: Date: Wed, 29 Jun 2016 16:50:55 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-SG-EID: Vb+Anvs0EfIvXbjCHlZrgVCEQbdxnz7CQucQDM1ZDb2kLJcxBcHpBzLx3PdjNbWAfgx5gxRf2/m8R0 BpkFh/bRN6rbxpYS7LQbxBOT2/5t8kc0jVkD0bHYRXbLO/jlx+CsE2nMzZjfWPPBF7/UFm9bSuB68i hxgrlDO9PMkW8WHqn2uYSxEbLtBdsjEWuT0E/hWryEuxApxQHWBZ0rsXc6aOoR6ZLp4zOyLkRQy2+t s= X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:51:08 -0000 On 06/29/16 16:38, Bryan Drewery wrote: > Around that time (January 2016), Colin Percival has been maintaining a > copy of the MANIFESTS in ports-mgmt/poudriere as well. For the record, I obtained these files by downloading the release ISOs, verifying their hashes against the signed release announcements, and then extracting the MANIFEST files from the ISOs, and I intend to do this for future releases as well. I think the consensus was that this was a better option than adding "commit MANIFEST files to the ports tree" to the already very lengthy release engineering checklist, but of course I'd have no objection to handing over this task if re@ wanted it for some reason. :-) > Those get > installed with Poudriere and used during jail -c after fetching if > available, so that relying on https isn't required. These were missing > for ports-mgmt/poudriere-devel until just now. I've moved them to > misc/freebsd-release-manifests and made both ports depend on it. Sounds good. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:57:15 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36AC6B8733F for ; Wed, 29 Jun 2016 23:57:15 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 24FA12CF3; Wed, 29 Jun 2016 23:57:15 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id C58B11C9D; Wed, 29 Jun 2016 23:57:14 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 23:57:13 +0000 From: Glen Barber To: Colin Percival Cc: Bryan Drewery , Yuri , freebsd-pkgbase@FreeBSD.org Subject: Re: Are signatures of system images verified? Message-ID: <20160629235713.GQ1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/Ocr+Jy+jPJR1APa" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:57:15 -0000 --/Ocr+Jy+jPJR1APa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 04:50:55PM -0700, Colin Percival wrote: > On 06/29/16 16:38, Bryan Drewery wrote: > > Around that time (January 2016), Colin Percival has been maintaining a > > copy of the MANIFESTS in ports-mgmt/poudriere as well. >=20 > For the record, I obtained these files by downloading the release ISOs, > verifying their hashes against the signed release announcements, and > then extracting the MANIFEST files from the ISOs, and I intend to do > this for future releases as well. I think the consensus was that this > was a better option than adding "commit MANIFEST files to the ports > tree" to the already very lengthy release engineering checklist, but > of course I'd have no objection to handing over this task if re@ wanted > it for some reason. :-) >=20 There are other (valid) reasons for having these signed "somewhere". I'm sure there are more use cases than bootonly.iso and poudriere that use these files. So, it's on my list, but since we have the MANIFESTs you already gathered, no immediate plan to make this retroactive. Glen --/Ocr+Jy+jPJR1APa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdGBZAAoJEAMUWKVHj+KT3PEP/RG1XDClfDPi8hShLa7eq5Si hJEvFYXCeA2KmSDmFsEP2wjMcRGZn8BDzqUTE/GonVfjgkKU6yn/1+pBnQByrb+i MkV8ZJ+8VmJxrsRMiRHvugSA72Y8HTWVwf4xD06inbWf6V2e/3zwaLxFURN29i8M c1gMKr1Dw2EB9gdTyDS5pIXxQEj7WL4ojX6QK+1QaTNU5PMCXUauUNyk5qYH5nuJ ur+TN1qc9xDtLOn+ZUD5ygThl5Q5QpmVmHALHt0fgzFR7CYoIjhdJYQrxy+AVGNm gKSQLStsysmPkW9lvYXj94H/pIcTBLxuRUaDvbAEfaZtJPHt+EtnwGC1FbjuBEAj 4zbWb7z989uMVBhhl2CViOgiOV98K457gbicbvpEFaDFNaGoUQAO87Pq3Uvt9qgH 0BwDZFLfD0xynEBX4BSf9/hmTvzv9fKKuop4EBvzoxaME8hSZhMdc+KgIaY7Al3D uIGmt2/WUhzheFGse2DODjOnBHE/Bs4bhNM99QQq4OwQoszITfaI9tqYMcGMWAMp TIXTSu+eb/oPQMPnr4NItUM+b8lIqeaLjy634i87ogWA7Iz4My4pf0yaU3aE/4QD MEVtkatIm+wEuKa+n0RFk2caVyaZ1sJtokSlHG+1SrwlujpanQbWo9wJ8Zu35Wmd qD0BWDQEMtnGINfigvvh =7avp -----END PGP SIGNATURE----- --/Ocr+Jy+jPJR1APa--