From owner-freebsd-security@freebsd.org Tue Feb 11 23:31:42 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 41ADD246976 for ; Tue, 11 Feb 2020 23:31:42 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48HJvK0zyfz4nv4; Tue, 11 Feb 2020 23:31:40 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id 3C318B40081; Tue, 11 Feb 2020 15:31:34 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id 0669211EF; Tue, 11 Feb 2020 15:31:34 -0800 (PST) Date: Tue, 11 Feb 2020 23:31:32 +0000 From: Nathan Dorfman To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200211233132.GA7@rtfm.net> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> <20200203135710.GK9584@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200203135710.GK9584@FreeBSD.org> X-Rspamd-Queue-Id: 48HJvK0zyfz4nv4 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ndorf@rtfm.net designates 208.113.157.50 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [2.85 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:208.113.157.50]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rtfm.net]; NEURAL_SPAM_MEDIUM(0.12)[0.120,0]; IP_SCORE(2.07)[ip: (9.01), ipnet: 208.113.128.0/17(0.49), asn: 26347(0.88), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.97)[0.966,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2020 23:31:42 -0000 Sorry for my delayed response. On Mon, Feb 03, 2020 at 01:57:10PM +0000, Glen Barber wrote: > First, if one installs from a snapshot, the MANIFEST file would only be > valid until the next snapshot build. > > The second and third problems are somewhat related: the various > distribution sets (base.txz, lib32.txz, etc.) are not updated with each > patch release. (I have been pondering the "right way(tm)" to do this > for some time, but that is more or less orthogonal to the real problem > at hand here.) The other issue is freebsd-update(8) does not work with > snapshot builds (from stable/X or head). Oops. I hadn't realized freebsd-update, with the -r option, couldn't be used to upgrade to the next snapshot. Since that is the case, it seems fine to support -RELEASEs only. > But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, > then invoke freebsd-update(8) with the '-b' flag to the jail location. Right, and this is no different than the current situation. > The patch I have at the moment looks for the MANIFEST (rather, the > --) file in the location they are > installed by the misc/freebsd-release-manifests package. This seems reasonable, but I think the checksum script is also used by the system installer (not just the jail setup script). Have you considered the possibility of simply publishing a detached signature with every MANIFEST, in a similar manner to what is done for the installer images? Those use PGP, requiring the gnupg package to verify, but OpenSSL could also be used. -nd.