From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 21:32:53 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F3FAB86C38 for ; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 6B8652E02; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by freefall.freebsd.org (Postfix) with ESMTP id 2AD041299; Wed, 29 Jun 2016 21:32:53 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Date: Wed, 29 Jun 2016 21:32:52 +0000 From: Glen Barber To: Yuri Cc: freebsd-pkgbase@freebsd.org Subject: Re: Are signatures of system images verified? Message-ID: <20160629213252.GI1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gJNQRAHI5jiYqw2y" Content-Disposition: inline In-Reply-To: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event X-PEKBAC-Definition: Problem Exists, Keyboard Between Admin/Computer User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:32:53 -0000 --gJNQRAHI5jiYqw2y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2016 at 02:21:00PM -0700, Yuri wrote: > Both system installer and poudriere jails take images from > http://ftp.freebsd.org/pub/FreeBSD/releases/ >=20 > But I can't see that there is a signature anywhere there that is verified > during the download. >=20 > For example, pkg(8) uses the key fingerprint > /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify download= s. > This is the only file under /usr/share/keys/ >=20 >=20 > Does this mean that system images aren't verified and MITM is possible, o= r I > am missing something? >=20 This is different than pkgbase, the base.txz and kernel.txz, etc., are not what would have been installed with pkg(8). When pkgbase is ready, yes, they will be signed. The MANIFEST for the base.txz is checked by bootonly.iso when installing (it has a local version of the file), so the security model here is: - bootonly.iso is downloaded, checksums compared to the PGP-signed email and the image is "good"; - bsdinstall(8) fetches the remote files, and compares their hashes against a known-good MANIFEST (it is part of its filesystem, /usr/freebsd-dist/). But you raise a good point, poudriere does not have a good way to validate the base.txz unless it also unpacks bootonly.iso (or any of the installer media) and compares the checksums. Glen --gJNQRAHI5jiYqw2y Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXdD5/AAoJEAMUWKVHj+KTGfsP/jSXxJeCixq5D3Gw828xy0T+ Q4PkFdaSqai6RJklaY5vLPhOPIK/gl5vm+9IyMR3BYOQrPcG6fI+FfvFsa5uBjXL s8jAecuOK4NSJlEXYT4RFts+u+7/THTefoOmAnVxD7vAAGmxdvJyjxh0rc1UcYsn TalndYn3PPeA3wp8JOq7RX/n97vQLjuRSKPe9fjA8MteCSagEa93UagOVOLBcKnn 78hCpNF6T9QSd4tbS+XSbijwqeltR7HqXtYgYK7bwG3Zy3+32/3phTiRVpMw6KLL LDHdgontDVYnM3SgcXCocC0SeJRYnZcgwvfeuDXsBzJaDl0qYqayiqtw6d0wt4a9 SHI/jRK18mSb8CKR0XiNkeZyZXQEESGOVwmYfMq9so9KC2G0yTktOk7Ez8AgUH0C S6LwdvQ9Z9iWSyGuamIiQRjFpj4SYEgxFRLqa7plhelYtIoC+G+U4biaRNyOlvxa jny/kyu9ZhrGFPhX0EAToyzgXDGicAXPGxns6XIKQpoB62+wzfung6Plg5ZpTZ1n u6IBETHsk3rlNs7opPPCrYO45gBZwmCbAiDsOdGRuQEvWMPs8EUKM4Z9USQg4KLM W7jNNU7BQEc6GpJN5UoJtXgQeC9PL2k4kIiRu4i14ZJh7rcWgyXjG9fkyj5oruZ6 4EGNJuVdcdHb7GV332XA =6ArQ -----END PGP SIGNATURE----- --gJNQRAHI5jiYqw2y--