Date: Wed, 29 Jun 2016 23:46:45 +0000 From: Glen Barber <gjb@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org> Cc: Yuri <yuri@rawbw.com>, freebsd-pkgbase@FreeBSD.org, Colin Percival <cperciva@freebsd.org> Subject: Re: Are signatures of system images verified? Message-ID: <20160629234645.GO1453@FreeBSD.org> In-Reply-To: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--m46qSNjkc66Ye11q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote:
> On 6/29/2016 4:03 PM, Glen Barber wrote:
> > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> >> On 06/29/2016 14:59, Glen Barber wrote:
> >>> If I understand what you mean correctly, that would imply poudriere is
> >>> responsible for the contents of base.txz, which it is not. I think t=
he
> >>> better solution (if I understood correctly) is RE needs to PGP-sign t=
he
> >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and incl=
ude
> >>> it in the announcement email for the release, as well as on the websi=
te.
> >>>
> >>> Please correct me if I did misunderstand.
> >>>
> >>> This way, poudriere could verify the hash of the file against what it
> >>> has downloaded, in addition to verifying the PGP fingerprint.
> >>
>=20
> FYI since Poudriere 3.1.11, it has compared the checksums in the
> MANIFEST against the downloaded packages. It also now uses
> https://download.freebsd.org by default. It requires
> security/ca_root_nss. I thought I had forced that dependency but it was
> missing. It is added now.
>=20
Ah, great, thank you. To those interested, the MANIFEST files included
were obtained in a secure manner, i.e., bootonly.iso was downloaded and
extracted after the checksum was compared to the PGP-signed email.
> Around that time (January 2016), Colin Percival has been maintaining a
> copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
> installed with Poudriere and used during jail -c after fetching if
> available, so that relying on https isn't required. These were missing
> for ports-mgmt/poudriere-devel until just now. I've moved them to
> misc/freebsd-release-manifests and made both ports depend on it.
>=20
I completely forgot about this. Thank you.
Glen
--m46qSNjkc66Ye11q
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXdF3fAAoJEAMUWKVHj+KTAH8P/1r+iznxNozl/b+Pvg1VGq2s
8mLMVFvsJxurFO0IyH9USbi/2kmQOYd2Cs3zldF5ogWnE8pHMLvlGW87NVHMotij
qMEUmfBVGtowuy4YfVJTHGrC0tGu3kMntj2fqS8dwv7XhBtn50q5gbQhFNYPe9sS
OuRExaCl56ECQ9WQ/yVRashJc7su+mPTO3AUNwOWBAXBMmdlmo6Q0DjmB7lWFQsz
hHpTEayKn7nITpVtYpOj9G8YyJ0brNTpOzhAHT9W9vcHSdQ22VXwhvF35g1mHiMj
CslfPVgLcUZnIwGOTTS2rc/e9yfefd+fg1gBR6eVzD72YQhbbiQUUoq2j3NvbV2o
SgIR5PpcMT/z1wravlt1iVNpddMf9aW+H2edl3Z0aglX4sBTxisH0e/zUMB83+Js
eVecHrrQIsl300vE0Jp8O6n4tqrTFXCJvSfIotu8lUaxZjkvSSObFHv6FSsigfpN
DjOMTycoCkCIsuC55DG+2twndwo+z1dGJBfufpcudnqjiw8wo8/eIfjSZsaaWbig
8/ucRVCUCQx0CaRI0ml4MIokwI2dIuwP1EL4f1ty54rZcZA5RU7Dvxh0oWqsQkaj
3HLhuLzqE9dNTFgAKqgu7PWAKJhii2c1YNKyNPXBDX6iso7yIw+hETQOjOpM718S
nNiPqBBPmNWE0DC6v4iK
=7Nsj
-----END PGP SIGNATURE-----
--m46qSNjkc66Ye11q--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160629234645.GO1453>