Date: Wed, 29 Jun 2016 16:38:05 -0700 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Yuri <yuri@rawbw.com> Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival <cperciva@freebsd.org> Subject: Re: Are signatures of system images verified? Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> In-Reply-To: <20160629230324.GL1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm
Content-Type: multipart/mixed; boundary="3BHgQsWXAh48bf0dxpPtoouLun31ngj31"
From: Bryan Drewery <bdrewery@FreeBSD.org>
To: Yuri <yuri@rawbw.com>
Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival <cperciva@freebsd.org>
Message-ID: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org>
Subject: Re: Are signatures of system images verified?
References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com>
<20160629213252.GI1453@FreeBSD.org>
<5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com>
<20160629215944.GJ1453@FreeBSD.org>
<7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com>
<20160629230324.GL1453@FreeBSD.org>
In-Reply-To: <20160629230324.GL1453@FreeBSD.org>
--3BHgQsWXAh48bf0dxpPtoouLun31ngj31
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 6/29/2016 4:03 PM, Glen Barber wrote:
> On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
>> On 06/29/2016 14:59, Glen Barber wrote:
>>> If I understand what you mean correctly, that would imply poudriere i=
s
>>> responsible for the contents of base.txz, which it is not. I think t=
he
>>> better solution (if I understood correctly) is RE needs to PGP-sign t=
he
>>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and incl=
ude
>>> it in the announcement email for the release, as well as on the websi=
te.
>>>
>>> Please correct me if I did misunderstand.
>>>
>>> This way, poudriere could verify the hash of the file against what it=
>>> has downloaded, in addition to verifying the PGP fingerprint.
>>
FYI since Poudriere 3.1.11, it has compared the checksums in the
MANIFEST against the downloaded packages. It also now uses
https://download.freebsd.org by default. It requires
security/ca_root_nss. I thought I had forced that dependency but it was
missing. It is added now.
Around that time (January 2016), Colin Percival has been maintaining a
copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
installed with Poudriere and used during jail -c after fetching if
available, so that relying on https isn't required. These were missing
for ports-mgmt/poudriere-devel until just now. I've moved them to
misc/freebsd-release-manifests and made both ports depend on it.
>>
>> Yes, only MANIFEST should be signed, I made a mistake suggesting that =
all
>> binaries should be signed.
>>
>=20
> Ok, got it.
>=20
>> I don't quite understand the connection between the poudriere run and =
the
>> announcement email. Could you please elaborate on this? Just downloadi=
ng
>> something from the website isn't secure either.
>>
>=20
> The only correlation there is a link to a web page containing PGP-signe=
d
> checksum files (for the ISOs).
>=20
> This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is=
> poudriere could fetch the base.txz file, fetch the signed checksum (of
> the MANIFEST), and compare it against something like this:
>=20
> https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-REL=
EASE-amd64.asc
>=20
> Hopefully that makes it a bit more clear on what I meant.
>=20
> Glen
>=20
--=20
Regards,
Bryan Drewery
--3BHgQsWXAh48bf0dxpPtoouLun31ngj31--
--KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJXdFvdAAoJEDXXcbtuRpfPEXgIAJpBrrLp1YG6VKmWhACfn6wz
IWdo4GPMLWhDUMi0xR1YRkfXAhADV7qC3520xhC8eiDZT7uOI5vJo/H07mvGnCes
yIMKocryDqR0gT5rDN76cl1wCfTMBJ+KnGUNGxYT6epxZT37O6yDEYGU02ihHRWL
59J/opqh8t1D0O/rGps8MRU63XrktHTQb28tvRlnKKqHv0f5UPrsGmgAkgRGUz/S
PiMfFxZAdWgr2rG42rYaS3FJ0cNasjLUPr9GU2+zDtFXHjRDzHL54VWl77igUXtf
eYKicgs0aR0QmTM9IJh9/xCpPJpyW8wI//MkpwIqaOy2J1TWpY3pb1DhWt8Y3wo=
=Ksyx
-----END PGP SIGNATURE-----
--KC1pmik5be8LnNsaw4U9xPLTCabq2nRGm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d642659-944b-d65d-9fc9-2aeab36acd98>