Date: Tue, 11 Feb 2020 23:31:32 +0000 From: Nathan Dorfman <ndorf@rtfm.net> To: Glen Barber <gjb@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200211233132.GA7@rtfm.net> In-Reply-To: <20200203135710.GK9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> <20200203135710.GK9584@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry for my delayed response. On Mon, Feb 03, 2020 at 01:57:10PM +0000, Glen Barber wrote: > First, if one installs from a snapshot, the MANIFEST file would only be > valid until the next snapshot build. > > The second and third problems are somewhat related: the various > distribution sets (base.txz, lib32.txz, etc.) are not updated with each > patch release. (I have been pondering the "right way(tm)" to do this > for some time, but that is more or less orthogonal to the real problem > at hand here.) The other issue is freebsd-update(8) does not work with > snapshot builds (from stable/X or head). Oops. I hadn't realized freebsd-update, with the -r option, couldn't be used to upgrade to the next snapshot. Since that is the case, it seems fine to support -RELEASEs only. > But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, > then invoke freebsd-update(8) with the '-b' flag to the jail location. Right, and this is no different than the current situation. > The patch I have at the moment looks for the MANIFEST (rather, the > <arch>-<target_arch>-<X.Y-RELEASE>) file in the location they are > installed by the misc/freebsd-release-manifests package. This seems reasonable, but I think the checksum script is also used by the system installer (not just the jail setup script). Have you considered the possibility of simply publishing a detached signature with every MANIFEST, in a similar manner to what is done for the installer images? Those use PGP, requiring the gnupg package to verify, but OpenSSL could also be used. -nd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200211233132.GA7>