From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:59:46 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE31CB86619 for ; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BF41E2A3A; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 7E9A0173B; Wed, 29 Jun 2016 21:59:46 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 21:59:44 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@FreeBSD.org Subject: Re: Are signatures of system images verified? Message-ID: <20160629215944.GJ1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bgQAstJ9X1Eg13Dy" Content-Disposition: inline In-Reply-To: <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:59:46 -0000 --bgQAstJ9X1Eg13Dy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 02:46:26PM -0700, Yuri wrote: > On 06/29/2016 14:32, Glen Barber wrote: > >But you raise a good point, poudriere does not have a good way to > >validate the base.txz unless it also unpacks bootonly.iso (or any of the > >installer media) and compares the checksums. >=20 >=20 > The possible solution is that poudriere should supply a public key as a p= art > of the package, and all binaries that it downloads are also signed with t= he > corresponding private key. >=20 If I understand what you mean correctly, that would imply poudriere is responsible for the contents of base.txz, which it is not. I think the better solution (if I understood correctly) is RE needs to PGP-sign the releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include it in the announcement email for the release, as well as on the website. Please correct me if I did misunderstand. This way, poudriere could verify the hash of the file against what it has downloaded, in addition to verifying the PGP fingerprint. Glen --bgQAstJ9X1Eg13Dy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdETQAAoJEAMUWKVHj+KTBvcP/1zXcb3I/WeZf7fBdYGomnX7 ydjW2Rbp5CkH/8KZgo4aCs6FgyPammrM5ZMByZH4hKbJtTPxiwCTYvVhCckG7FNk TqLiWsAz2dIaBF+Qmka1K1ceWgitwJg1WUWsQAQkFlpqrWVFO7xoVkZbd4Qn6EEH 8CyEN6rTvG4RVNFnPz/Y/wE09evMI6DKR7EXwIKVo+cEgQS4Bs0kr5zFuL+9G68d ASl4ls2MbUKPpXkZT72JpdEGaifmWC+O6e9S5vVYJUz7jUkrOr+igO5lcVpnh3AJ 3RwmrGAb2c9HZRzPNt31vsTEf2wRejoJ6hfeoAOU8+0Xmo7G/VsQFGrS7K216LRn DQXZGbPgNvWt4Qmw6obSo7iBk+g3Cd8h98H3JgK89dd8MKTSW0jt9VOXI5LfDtYK b1NMZJEiQv54Y/jTL+T2bFTNfS0+RcDtRnuqc75ClEOXz5Hihs49tfJLPFF4LaqL tZv0XYOLDBP9pc1zQUPjtuH48OrwA+7GgiAe6vBrWeibE+XT4N+b3Eofo2J2pChg Ndr22+C8CRcqseJBpPxWo4HL3gH42La4UgFhxhniucZ8PjH1U/1rnPCi6jM1kpRF WmItOC5DRei5Fb8BHQT0Ki+VdD9aS+I39Hpa2akoXOha/fM8S34VC05nC+l+CExk /DEVPrC8ff0YQThUVAvx =/5m8 -----END PGP SIGNATURE----- --bgQAstJ9X1Eg13Dy--