From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:03:28 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39DDDB86791 for ; Wed, 29 Jun 2016 23:03:28 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 299F628B6; Wed, 29 Jun 2016 23:03:28 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id D0CB71351; Wed, 29 Jun 2016 23:03:27 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 23:03:24 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@FreeBSD.org, Bryan Drewery Subject: Re: Are signatures of system images verified? Message-ID: <20160629230324.GL1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xb8pJpF45Qg/t7GZ" Content-Disposition: inline In-Reply-To: <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:03:28 -0000 --Xb8pJpF45Qg/t7GZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: > On 06/29/2016 14:59, Glen Barber wrote: > >If I understand what you mean correctly, that would imply poudriere is > >responsible for the contents of base.txz, which it is not. I think the > >better solution (if I understood correctly) is RE needs to PGP-sign the > >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include > >it in the announcement email for the release, as well as on the website. > > > >Please correct me if I did misunderstand. > > > >This way, poudriere could verify the hash of the file against what it > >has downloaded, in addition to verifying the PGP fingerprint. >=20 >=20 > Yes, only MANIFEST should be signed, I made a mistake suggesting that all > binaries should be signed. >=20 Ok, got it. > I don't quite understand the connection between the poudriere run and the > announcement email. Could you please elaborate on this? Just downloading > something from the website isn't secure either. >=20 The only correlation there is a link to a web page containing PGP-signed checksum files (for the ISOs). This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is poudriere could fetch the base.txz file, fetch the signed checksum (of the MANIFEST), and compare it against something like this: https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE= -amd64.asc Hopefully that makes it a bit more clear on what I meant. Glen --Xb8pJpF45Qg/t7GZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdFO8AAoJEAMUWKVHj+KTXewP/0CQ/xagu9M6P9jwZVxakD0n oOR7JRtrSlFuxx6U/kSJai3KLJr8585C3RJ1jnIKp0RKLPe6PEkpm1OVNTlBTSUE gBg1TcJRxRnJ/1AVALso2c3omrZD/H+Xtu2fmrDW+TDZ6C7ezbw/PhHv7UUedLhU pzdhn82AboE6gH5PMQ+8b5ePuZhfk1ZUzdOFKJJJ7Wnk/MrnnadcF+ax3GuB9z71 UK/yfr1PuVwcvPMxRwCpqdBrEXDocJjjpYU8+Tb59zgPlZD/aw2JO7yr+sdwJHY4 6/JfClMzA3e9W2CEhV36Hv8M8kvQ9pGk1os+bDZUEonlCDOMSQNwNXO/EgKq4qe5 h4TJNtQdqCELdylQGmQljE/O0wCcAUvq1KjZp2qVJJuH5+bd75aeq61lm/xhtiuC SFsnXyon+jSngfuPjGjv0+6WfsblKLrMfeOUi0f2NttgfOFqmht+K6EST/LSYFku J9zt+Gy8HLdrx+V7yqvVMGgEvMwF7Dyr8wPYMAYdBjOTHeUgkuyEQm4neJIc2879 5ytTubrIvcWdU+qJ4c4sjcHSIDwmLIuIhCJ0pDUAeyv2Vq+oIUuYACbfrMYTTj8Q YJCpgVjzdpRf9CywSyY9AY9Ogra/m4ZHtglZUTenVDesPhdA2Jccs6qTHh91DHsb m3yK4oZ1M13+UubM1u7K =LnmI -----END PGP SIGNATURE----- --Xb8pJpF45Qg/t7GZ--