From owner-freebsd-security@freebsd.org Sun Jan 10 20:01:37 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E52CA6A52E for ; Sun, 10 Jan 2016 20:01:37 +0000 (UTC) (envelope-from jim@jimkeener.com) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 39312175C for ; Sun, 10 Jan 2016 20:01:37 +0000 (UTC) (envelope-from jim@jimkeener.com) Received: by mail-qk0-x231.google.com with SMTP id r67so22093953qke.1 for ; Sun, 10 Jan 2016 12:01:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jimkeener-com.20150623.gappssmtp.com; s=20150623; h=user-agent:in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:from:date:to:cc:message-id; bh=wWUrmXnznU6E4NhrP7N6wRboWze8vUkY6R0VunpXNYc=; b=X2UeNIGFDBXaiBNlJr/fzKLkA/1CPdilCSGO1rhN90tZtWJXXKqJ35c7e3u2eH0GH1 8UJNhVFVFomxBpe+j5wKMo5W9JbTxZB4kONXmAaN7rRgTMfP6xIxDrwNMNMiZeM6Si/T 79zt5AWevZORJAA//oIwXNtTpKtTMM7KthQyr2fsN/i5F+Y3mFlSpFRj9pjDxQRntNT7 irHrQwZM7wCJaUCRAYnnSvbV0BbDcBKKgv1SwVKnylP7QbBcPNvjUQ9A9Oawuie2LtBi AUsrYzQSs11QmtpKwvWo/Hmldy2pSJvICR2I35BXsmezsam4zJcPGirthYMmAH4sW2ER F+/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:in-reply-to:references:mime-version :content-type:content-transfer-encoding:subject:from:date:to:cc :message-id; bh=wWUrmXnznU6E4NhrP7N6wRboWze8vUkY6R0VunpXNYc=; b=Kplb0uDc6AhYdNIHw7vTKXg9gFJPd5klNgpC1NALIRo/DczNwuQhYrX0X6PlXI4M62 PyZCzWIi96MVEB7bQ8xOf22TLhpTuVx0Asoa75MhPQU3CF6pqKozcgeLzWNUUmgEtm2J OWYskKv26q4+QBfRFqdO6+764e1mluxcPu2g86jFU+pZK8IfmoipHtXtMWoGf33eRWDk 8qcD/9W/hmIzap1pxv7LNOMjveUaf4JFPJkk4ReMPiiWrh4rCtm26lfKtiom0ewL5DvS xgdQ8K39EI7wKHGdnnidMnDyB9+6NKHReegwQxfpqCUKLPtUNWnXfmiWoFLmgFnJpQ97 KZIQ== X-Gm-Message-State: ALoCoQmmZlr0I3gAd1kEMItKfwJAPqW3EXxdrvwgk92hTuLRw2SUwNfk73MroPTaFIQmj1AnvvYmHSZTSAq6qSbIiwuemrMvoQ== X-Received: by 10.55.72.70 with SMTP id v67mr156747390qka.47.1452456096247; Sun, 10 Jan 2016 12:01:36 -0800 (PST) Received: from wendy.home (pool-71-112-137-21.pitbpa.east.verizon.net. [71.112.137.21]) by smtp.gmail.com with ESMTPSA id u78sm11412631qge.27.2016.01.10.12.01.34 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 10 Jan 2016 12:01:35 -0800 (PST) User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Subject: Re: Signed Checksums for release archives From: James Keener Date: Sun, 10 Jan 2016 15:01:30 -0500 To: Dmitry Morozovsky , Clint Armstrong CC: freebsd-security@freebsd.org Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2016 20:01:37 -0000 That doesn't help if a mirror is compromised or control is lost. Those already downloaded installers can't update their mirror list. Jim On January 10, 2016 2:54:44 PM EST, Dmitry Morozovsky wrote: >On Sun, 10 Jan 2016, Clint Armstrong wrote: > >> The signed checksums linked on that page only include checksums for >the >> .img and .iso images. Not for the .txz archives. > >Ah I see. But nevertheless, these .txz's are almost always accessed >from the >installer, which selects only approved mirror from well-defined list, >and >connects to them over TLS... > > >-- >Sincerely, >D.Marck [DM5020, MCK-RIPE, >DM3-RIPN] >[ FreeBSD committer: marck@FreeBSD.org >] >------------------------------------------------------------------------ >*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru >*** >------------------------------------------------------------------------ >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to >"freebsd-security-unsubscribe@freebsd.org" -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From owner-freebsd-security@freebsd.org Sun Jan 10 21:07:42 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13FBDA6A1BA for ; Sun, 10 Jan 2016 21:07:42 +0000 (UTC) (envelope-from clint@clintarmstrong.net) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCBF910FB for ; Sun, 10 Jan 2016 21:07:41 +0000 (UTC) (envelope-from clint@clintarmstrong.net) Received: by mail-ig0-x235.google.com with SMTP id t15so83751451igr.0 for ; Sun, 10 Jan 2016 13:07:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clintarmstrong.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=b14QpoQR1xRyYYbM4Ff47ctB4FYvnbZpFGmLgMZjaU4=; b=IECt4KaXUkBiJ4mgzoi0xxtIyO94WeAGHfCCoajYozNeAZIwpskS1xCEp7qK8UdWpk GGWXP/FFSjgM0vVnSUGjqyYYdnrJiTfih//DJWFBD+frzIohIVwLnrs5ZQDZlIbIqYhx KiCJyjHRsEymAORK2Iyc3VdhvG2wZb5OqBUZs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=b14QpoQR1xRyYYbM4Ff47ctB4FYvnbZpFGmLgMZjaU4=; b=GY5nAvV6TJLc8vNYe79hL+JafHgBL82Az0Nyv1M0e/wuDbrDYwR7WcXak0/yDIZb5t cIEXMz7oevfYWEqGd316dvFLhecVInnPnONtFM4ayaF/HURPdlEQwl1ru2r/l3rcTfGV xGPA8zPABWgy6BDJYHy0NWuAy/vvHfHVwYKSPOQ9tYXCnDAsW/W24zdGtCwCIuzS7jBF X3tUz1v0WmjMe3LujN1ci8eEuU8Iz6rUFoOu6BosObne4YAqZRZeZZEIMxVyOmDi6eZU +gn2tMoU/sUe4x16QXEzCM1ZKYApbP7zUv4TcL5S0vC3R1kiARN/uKgXxvdaTvf5duEe 6jWQ== X-Gm-Message-State: ALoCoQl+r0xRk2577WftDrvAmdplljmWQ+xD7hlcJhgxM67Yqrv6oiGoW2qNx5n5PBRgI+KYlvkJhTLSyVWSF28jwLGquj4CCA== X-Received: by 10.50.73.66 with SMTP id j2mr8862681igv.12.1452460060625; Sun, 10 Jan 2016 13:07:40 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Clint Armstrong Date: Sun, 10 Jan 2016 21:07:31 +0000 Message-ID: Subject: Re: Signed Checksums for release archives To: James Keener , Dmitry Morozovsky Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2016 21:07:42 -0000 My use case is for creating Jails. I'm trying to script downloading and extracting an archive for a jail and would like to be able to verify the download. On Sun, Jan 10, 2016 at 3:01 PM James Keener wrote: > That doesn't help if a mirror is compromised or control is lost. Those > already downloaded installers can't update their mirror list. > > Jim > > > On January 10, 2016 2:54:44 PM EST, Dmitry Morozovsky > wrote: >> >> On Sun, 10 Jan 2016, Clint Armstrong wrote: >> >> The signed checksums linked on that page only include checksums for the >>> .img and .iso images. Not for the .txz archives. >>> >> >> Ah I see. But nevertheless, these .txz's are almost always accessed from the >> installer, which selects only approved mirror from well-defined list, and >> connects to them over TLS... >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >