Date: Wed, 29 Jun 2016 15:22:33 -0700 From: Yuri <yuri@rawbw.com> To: Glen Barber <gjb@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org Subject: Re: Are signatures of system images verified? Message-ID: <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> In-Reply-To: <20160629215944.GJ1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/29/2016 14:59, Glen Barber wrote:
> If I understand what you mean correctly, that would imply poudriere is
> responsible for the contents of base.txz, which it is not. I think the
> better solution (if I understood correctly) is RE needs to PGP-sign the
> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> it in the announcement email for the release, as well as on the website.
>
> Please correct me if I did misunderstand.
>
> This way, poudriere could verify the hash of the file against what it
> has downloaded, in addition to verifying the PGP fingerprint.
Yes, only MANIFEST should be signed, I made a mistake suggesting that
all binaries should be signed.
I don't quite understand the connection between the poudriere run and
the announcement email. Could you please elaborate on this? Just
downloading something from the website isn't secure either.
Thank you,
Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7ac94438-4d39-2695-7b79-9ce04373e7e1>