Date: Tue, 28 Jan 2014 05:41:41 +0100 From: Elmar Stellnberger <estellnb@elstel.org> To: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD Message-ID: <D5AFDA9E-4BC0-4E2A-8986-FD4283CEE918@elstel.org> In-Reply-To: <4BA27CDF.1040107@gmail.com> References: <4BA27CDF.1040107@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
A respective tool for Debian based distros has just been released (http://www.elstel.org/debcheckroot). It takes a somewhat simpler approach than its rpm-based counterpart and may serve as a prove of concept. The only thing that is required is a sha/md5sum list for each package (as private keys tend to be stolen relying on them is not a good idea either way). If we already have sha1sums somewhere in the package header it should be possible to port the tool. However locally stored checksums are not of use as they can be manipulated arbitrarily. Elmar Am 18.03.2010 um 20:19 schrieb Elmar Stellnberger: > > Unfortunately pkg_check&sign do not seem to exist any more: > > from 8.0 relnotes: "The pkg_sign and pkg_check utilities for cryptographically signing FreeBSD packages have been removed. They were only useful for packages compressed using gzip(1); however bzip2(1) compression has been the norm for some time now. > > Besides this I would need pkg_sign to take the checksums from the respective .tbz instead of the local file system. > " For sha1, it checksums the file and verifies that the result matches the list of checksums recorded in /var/db/pkg/SHA1." > > Moreover I would need a script that just downloads the package headers; not the whole packages > because otherwise the check procedure would last aeons. > > I thought there was a version of bzip2 that did signing/encrypting but guess not ... in any case it is not what freebsd uses > > That way it seemes to me as the easiest viable way to simply provide external checksum lists as the package management depeers a proper checksum handling. Such lists do already exist for Windows and OSX. That way we would not even need a new tool; just checksum lists the user can verify himself. For Linux on the other hand cheksums are provided by the package headers so that we do not need separate checksum lists. > > > > > You can download the packages from: > > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/ > > > and run pkg_check You might be able to extract the signature > > from the package. > > > The packages themselves are signed. There is no separate > > signature file. /etc/ssl/pkg.crt is the location of the public > > key for the packages. > > > > P.S.: Sorry for my late reply > I must have overlloked your message as I have not been subscribed to freebsd-security. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5AFDA9E-4BC0-4E2A-8986-FD4283CEE918>