Date: Tue, 28 Jan 2014 05:41:41 +0100 From: Elmar Stellnberger <estellnb@elstel.org> To: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD Message-ID: <D5AFDA9E-4BC0-4E2A-8986-FD4283CEE918@elstel.org> In-Reply-To: <4BA27CDF.1040107@gmail.com> References: <4BA27CDF.1040107@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
A respective tool for Debian based distros has just been released = (http://www.elstel.org/debcheckroot). It takes a somewhat simpler approach than its rpm-based counterpart and = may serve as a prove of concept. The only thing that is required is a sha/md5sum list for each package = (as private keys tend to be stolen relying on them is not a good idea either way). If we already have = sha1sums somewhere in the package header it should be possible to port the tool. However locally stored = checksums are not of use as they can be manipulated arbitrarily. Elmar Am 18.03.2010 um 20:19 schrieb Elmar Stellnberger: >=20 > Unfortunately pkg_check&sign do not seem to exist any more: >=20 > from 8.0 relnotes: "The pkg_sign and pkg_check utilities for = cryptographically signing FreeBSD packages have been removed. They were = only useful for packages compressed using gzip(1); however bzip2(1) = compression has been the norm for some time now. >=20 > Besides this I would need pkg_sign to take the checksums from the = respective .tbz instead of the local file system. > " For sha1, it checksums the file and verifies that the result = matches the list of checksums recorded in /var/db/pkg/SHA1." >=20 > Moreover I would need a script that just downloads the package = headers; not the whole packages > because otherwise the check procedure would last aeons. >=20 > I thought there was a version of bzip2 that did signing/encrypting but = guess not ... in any case it is not what freebsd uses >=20 > That way it seemes to me as the easiest viable way to simply provide = external checksum lists as the package management depeers a proper = checksum handling. Such lists do already exist for Windows and OSX. That = way we would not even need a new tool; just checksum lists the user can = verify himself. For Linux on the other hand cheksums are provided by the = package headers so that we do not need separate checksum lists. >=20 > > > > You can download the packages from: > > > = ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/ > > > and run pkg_check You might be able to extract the = signature > > from the package. > > > The packages themselves are signed. There is no separate > > signature file. /etc/ssl/pkg.crt is the location of the public > > key for the packages. > > =20 >=20 > P.S.: Sorry for my late reply > I must have overlloked your message as I have not been subscribed to = freebsd-security. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5AFDA9E-4BC0-4E2A-8986-FD4283CEE918>