Date: Wed, 29 Jun 2016 14:21:00 -0700 From: Yuri <yuri@rawbw.com> To: freebsd-pkgbase@freebsd.org Subject: Are signatures of system images verified? Message-ID: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com>
next in thread | raw e-mail | index | archive | help
Both system installer and poudriere jails take images from http://ftp.freebsd.org/pub/FreeBSD/releases/ But I can't see that there is a signature anywhere there that is verified during the download. For example, pkg(8) uses the key fingerprint /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads. This is the only file under /usr/share/keys/ Does this mean that system images aren't verified and MITM is possible, or I am missing something? Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2cde3a9e-8b4d-8c5e-408a-053710986e29>