From owner-freebsd-security Mon Feb 5 22:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 120CB37B503; Mon, 5 Feb 2001 22:24:26 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Q1gs-0000aE-00; Mon, 05 Feb 2001 23:33:26 -0700 Message-ID: <3A7F9AB6.5CAA983B@softweyr.com> Date: Mon, 05 Feb 2001 23:33:26 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Markus Holmberg Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Markus Holmberg wrote: > > Hello. > > Is there any way to perform an integrity check on packages that are fetched > with "pkg_add -r "? > > (Similarly to building a package manually with a trusted /usr/ports and > checksumming downloaded files) > > I assume there is no way to do integrity checking on packages, which > leads me to the question if the general opinion among the security > conscious is that packages (from untrusted parties, like any ftp site on > the mirror list) should not be used at all? I have package signing tools, integrated into the pkg_ commands, sitting on Freefall waiting to be committed. They let you sign a package with an MD5 checksum (this mechanism is a little weird, inherited from the OpenBSD code), a PGP signature (this code is also inherited from OpenBSD, uses PGP 2.xx command line tools, and kinda sucks in my opinion) and X.509 signatures. If you need it, I'll go ahead and commit what I have. I opened a discussion about this on the -ports mailing list a while ago, which immediately veered off into outer space. I haven't commited these bits since then, but am willing to do so now. We could discuss some of the sensible things people asked for and add them after the fact. For instance, somebody mentioned that pkg_info should report if the package is signed or not; pkg_add should (perhaps optionally) refuse to install a signed package whose signature does not match. What is not clear is whether it is OK to force pkg_add and pkg_info to link against the crypto libraries, or if they should call the pkg_check executable (if it is installed) to do the work. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message