Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Aug 2017 20:16:08 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 221281] sysutils/ezjail should verify downloaded tarballs before use
Message-ID:  <bug-221281-13-qKedZzxkcO@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-221281-13@https.bugs.freebsd.org/bugzilla/>
References:  <bug-221281-13@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221281

--- Comment #2 from Rene Wagner <rw@nelianur.org> ---
Thanks for the quick reply! I'm glad to hear you're actively working on ezj=
ail
again!

As for "bsdinstall jail", does it actually check any signatures?

If I read its source code correctly it appears that it first fetches the
MANIFEST file, then the base.txz listed therein as well as any additional
distribution files selected by the user, and finally computes the SHA256
checksums of the downloaded files which are then compared against the check=
sums
from the MANIFEST.

The MANIFEST file is not signed. Thus, this will only prevent accidental
corruption of files in transit. It doesn't provide any protection against
malicious tampering, does it?

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221281-13-qKedZzxkcO>