From owner-freebsd-security Tue Feb 6 9: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 74DB337B401; Tue, 6 Feb 2001 09:04:13 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14QBbz-0000AU-00; Tue, 06 Feb 2001 10:09:03 -0700 Message-ID: <3A802FAF.792F61F5@softweyr.com> Date: Tue, 06 Feb 2001 10:09:03 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > We could discuss some of the sensible things people asked for and > > add them after the fact. > > We also need to be very clear about what it means for a package to be > signed -- particularly in light of laws in the US and elsewhere giving > legal status to digital signatures. If there's one good thing to be > said about X.509, there's a lot of ways to stick signed blobs of text > into those certificates.... That's pretty much at the discretion of the parties signing and verifying the packages. One of the signatures is a simple SHA1 crypto checksum, that implies little other than you got what the package creator put together to a fair degree of certainty. Everyone reading this thread should note that the signature exists ONLY in the gzip header for a .tgz package; no attempt is made to sign the extracted onto the system or anything like that. It is the package that is signed, not the application. OTOH, the idea of signed executables intrigues me... -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message