From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:38:11 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84489B86E86 for ; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 697672643; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 5D96C19DC; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 13F56233C4; Wed, 29 Jun 2016 23:38:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id NP41OCoicLza; Wed, 29 Jun 2016 23:38:07 +0000 (UTC) Subject: Re: Are signatures of system images verified? DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 25A5B233BE To: Yuri References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Date: Wed, 29 Jun 2016 16:38:05 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160629230324.GL1453@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm" X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:38:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm Content-Type: multipart/mixed; boundary="3BHgQsWXAh48bf0dxpPtoouLun31ngj31" From: Bryan Drewery To: Yuri Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Subject: Re: Are signatures of system images verified? References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> In-Reply-To: <20160629230324.GL1453@FreeBSD.org> --3BHgQsWXAh48bf0dxpPtoouLun31ngj31 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 6/29/2016 4:03 PM, Glen Barber wrote: > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote: >> On 06/29/2016 14:59, Glen Barber wrote: >>> If I understand what you mean correctly, that would imply poudriere i= s >>> responsible for the contents of base.txz, which it is not. I think t= he >>> better solution (if I understood correctly) is RE needs to PGP-sign t= he >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and incl= ude >>> it in the announcement email for the release, as well as on the websi= te. >>> >>> Please correct me if I did misunderstand. >>> >>> This way, poudriere could verify the hash of the file against what it= >>> has downloaded, in addition to verifying the PGP fingerprint. >> FYI since Poudriere 3.1.11, it has compared the checksums in the MANIFEST against the downloaded packages. It also now uses https://download.freebsd.org by default. It requires security/ca_root_nss. I thought I had forced that dependency but it was missing. It is added now. Around that time (January 2016), Colin Percival has been maintaining a copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get installed with Poudriere and used during jail -c after fetching if available, so that relying on https isn't required. These were missing for ports-mgmt/poudriere-devel until just now. I've moved them to misc/freebsd-release-manifests and made both ports depend on it. >> >> Yes, only MANIFEST should be signed, I made a mistake suggesting that = all >> binaries should be signed. >> >=20 > Ok, got it. >=20 >> I don't quite understand the connection between the poudriere run and = the >> announcement email. Could you please elaborate on this? Just downloadi= ng >> something from the website isn't secure either. >> >=20 > The only correlation there is a link to a web page containing PGP-signe= d > checksum files (for the ISOs). >=20 > This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is= > poudriere could fetch the base.txz file, fetch the signed checksum (of > the MANIFEST), and compare it against something like this: >=20 > https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-REL= EASE-amd64.asc >=20 > Hopefully that makes it a bit more clear on what I meant. >=20 > Glen >=20 --=20 Regards, Bryan Drewery --3BHgQsWXAh48bf0dxpPtoouLun31ngj31-- --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJXdFvdAAoJEDXXcbtuRpfPEXgIAJpBrrLp1YG6VKmWhACfn6wz IWdo4GPMLWhDUMi0xR1YRkfXAhADV7qC3520xhC8eiDZT7uOI5vJo/H07mvGnCes yIMKocryDqR0gT5rDN76cl1wCfTMBJ+KnGUNGxYT6epxZT37O6yDEYGU02ihHRWL 59J/opqh8t1D0O/rGps8MRU63XrktHTQb28tvRlnKKqHv0f5UPrsGmgAkgRGUz/S PiMfFxZAdWgr2rG42rYaS3FJ0cNasjLUPr9GU2+zDtFXHjRDzHL54VWl77igUXtf eYKicgs0aR0QmTM9IJh9/xCpPJpyW8wI//MkpwIqaOy2J1TWpY3pb1DhWt8Y3wo= =Ksyx -----END PGP SIGNATURE----- --KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm--