Date: Wed, 29 Jun 2016 23:03:24 +0000 From: Glen Barber <gjb@FreeBSD.org> To: Yuri <yuri@rawbw.com> Cc: freebsd-pkgbase@FreeBSD.org, Bryan Drewery <bdrewery@FreeBSD.org> Subject: Re: Are signatures of system images verified? Message-ID: <20160629230324.GL1453@FreeBSD.org> In-Reply-To: <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Xb8pJpF45Qg/t7GZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> On 06/29/2016 14:59, Glen Barber wrote:
> >If I understand what you mean correctly, that would imply poudriere is
> >responsible for the contents of base.txz, which it is not. I think the
> >better solution (if I understood correctly) is RE needs to PGP-sign the
> >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >it in the announcement email for the release, as well as on the website.
> >
> >Please correct me if I did misunderstand.
> >
> >This way, poudriere could verify the hash of the file against what it
> >has downloaded, in addition to verifying the PGP fingerprint.
>=20
>=20
> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
> binaries should be signed.
>=20
Ok, got it.
> I don't quite understand the connection between the poudriere run and the
> announcement email. Could you please elaborate on this? Just downloading
> something from the website isn't secure either.
>=20
The only correlation there is a link to a web page containing PGP-signed
checksum files (for the ISOs).
This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is
poudriere could fetch the base.txz file, fetch the signed checksum (of
the MANIFEST), and compare it against something like this:
https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE=
-amd64.asc
Hopefully that makes it a bit more clear on what I meant.
Glen
--Xb8pJpF45Qg/t7GZ
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXdFO8AAoJEAMUWKVHj+KTXewP/0CQ/xagu9M6P9jwZVxakD0n
oOR7JRtrSlFuxx6U/kSJai3KLJr8585C3RJ1jnIKp0RKLPe6PEkpm1OVNTlBTSUE
gBg1TcJRxRnJ/1AVALso2c3omrZD/H+Xtu2fmrDW+TDZ6C7ezbw/PhHv7UUedLhU
pzdhn82AboE6gH5PMQ+8b5ePuZhfk1ZUzdOFKJJJ7Wnk/MrnnadcF+ax3GuB9z71
UK/yfr1PuVwcvPMxRwCpqdBrEXDocJjjpYU8+Tb59zgPlZD/aw2JO7yr+sdwJHY4
6/JfClMzA3e9W2CEhV36Hv8M8kvQ9pGk1os+bDZUEonlCDOMSQNwNXO/EgKq4qe5
h4TJNtQdqCELdylQGmQljE/O0wCcAUvq1KjZp2qVJJuH5+bd75aeq61lm/xhtiuC
SFsnXyon+jSngfuPjGjv0+6WfsblKLrMfeOUi0f2NttgfOFqmht+K6EST/LSYFku
J9zt+Gy8HLdrx+V7yqvVMGgEvMwF7Dyr8wPYMAYdBjOTHeUgkuyEQm4neJIc2879
5ytTubrIvcWdU+qJ4c4sjcHSIDwmLIuIhCJ0pDUAeyv2Vq+oIUuYACbfrMYTTj8Q
YJCpgVjzdpRf9CywSyY9AY9Ogra/m4ZHtglZUTenVDesPhdA2Jccs6qTHh91DHsb
m3yK4oZ1M13+UubM1u7K
=LnmI
-----END PGP SIGNATURE-----
--Xb8pJpF45Qg/t7GZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160629230324.GL1453>