From owner-freebsd-security@FreeBSD.ORG Tue Jan 28 05:30:13 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 082F7747 for ; Tue, 28 Jan 2014 05:30:13 +0000 (UTC) Received: from t4.revido.de (t4.revido.de [88.80.214.247]) by mx1.freebsd.org (Postfix) with ESMTP id 8CB70186D for ; Tue, 28 Jan 2014 05:30:12 +0000 (UTC) Received: by t3.revido.de (Postfix, from userid 1000) id B840551B80CD; Tue, 28 Jan 2014 05:41:43 +0100 (CET) X-Spam-DCC: sonic.net: t3.revido.de 1156; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on t3.revido.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=7.0 tests=none autolearn=disabled version=3.1.7-deb Received: from eight.rr1.revido.de (eight.rr1.revido.de [94.101.38.24]) by t3.revido.de (Postfix) with ESMTP id D3C4451B80CA for ; Tue, 28 Jan 2014 05:41:42 +0100 (CET) Received: from computer.home (188-22-62-129.adsl.highway.telekom.at [188.22.62.129]) by eight.rr1.revido.de (Postfix) with ESMTPA id 9E07E856A93 for ; Tue, 28 Jan 2014 05:41:42 +0100 (CET) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Apple Message framework v1283) Subject: Re: online cheksum verification for FreeBSD From: Elmar Stellnberger In-Reply-To: <4BA27CDF.1040107@gmail.com> Date: Tue, 28 Jan 2014 05:41:41 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4BA27CDF.1040107@gmail.com> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1283) X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.95.3/18405/Mon Jan 27 20:37:09 2014 X-Mailman-Approved-At: Tue, 28 Jan 2014 12:26:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2014 05:30:13 -0000 A respective tool for Debian based distros has just been released = (http://www.elstel.org/debcheckroot). It takes a somewhat simpler approach than its rpm-based counterpart and = may serve as a prove of concept. The only thing that is required is a sha/md5sum list for each package = (as private keys tend to be stolen relying on them is not a good idea either way). If we already have = sha1sums somewhere in the package header it should be possible to port the tool. However locally stored = checksums are not of use as they can be manipulated arbitrarily. Elmar Am 18.03.2010 um 20:19 schrieb Elmar Stellnberger: >=20 > Unfortunately pkg_check&sign do not seem to exist any more: >=20 > from 8.0 relnotes: "The pkg_sign and pkg_check utilities for = cryptographically signing FreeBSD packages have been removed. They were = only useful for packages compressed using gzip(1); however bzip2(1) = compression has been the norm for some time now. >=20 > Besides this I would need pkg_sign to take the checksums from the = respective .tbz instead of the local file system. > " For sha1, it checksums the file and verifies that the result = matches the list of checksums recorded in /var/db/pkg/SHA1." >=20 > Moreover I would need a script that just downloads the package = headers; not the whole packages > because otherwise the check procedure would last aeons. >=20 > I thought there was a version of bzip2 that did signing/encrypting but = guess not ... in any case it is not what freebsd uses >=20 > That way it seemes to me as the easiest viable way to simply provide = external checksum lists as the package management depeers a proper = checksum handling. Such lists do already exist for Windows and OSX. That = way we would not even need a new tool; just checksum lists the user can = verify himself. For Linux on the other hand cheksums are provided by the = package headers so that we do not need separate checksum lists. >=20 > > > > You can download the packages from: > > > = ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/ > > > and run pkg_check You might be able to extract the = signature > > from the package. > > > The packages themselves are signed. There is no separate > > signature file. /etc/ssl/pkg.crt is the location of the public > > key for the packages. > > =20 >=20 > P.S.: Sorry for my late reply > I must have overlloked your message as I have not been subscribed to = freebsd-security. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"