Date: Sat, 22 Aug 2020 12:11:31 +0200 From: Evilham <contact@evilham.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Installation media signatures? Message-ID: <d99e85c6-aeb1-4b4f-a44d-d96ec4e5e67b@yggdrasil.evilham.com> In-Reply-To: <Cj3Yc3KOW6TcZ3nphegDUTStxzAHyQc0QyK3Mzvno5rtVkLb0wg54TrVPwKICRO3fse4LuY2whUoPU0lEZWHspVkSozs1mN_EbAqns-yzFI=@protonmail.com> References: <Cj3Yc3KOW6TcZ3nphegDUTStxzAHyQc0QyK3Mzvno5rtVkLb0wg54TrVPwKICRO3fse4LuY2whUoPU0lEZWHspVkSozs1mN_EbAqns-yzFI=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On dv., ag. 21 2020, 6E7368 via freebsd-questions wrote: > I was about to flash the rpi3 12.1-RELEASE img to an SD card, > but I couldn't find any signatures to verify it against. Am I > missing something, or are users supposed to install unverified > images? Checksums without a signature are not an assurance > against tampering. > > I didn't find what I was looking for in the handbook or with > Google, and I thought I'd ask here instead of bugging the > security mailing list. Hey, the web announcement has a URL to its signed counterpart: https://www.freebsd.org/releases/12.1R/announce.html https://www.freebsd.org/releases/12.1R/announce.asc Since the announcement has all the checksums, you'd have to verify the announcement's signature, then the file's checksum against it. The Handbook has more info about the project's PGP keys: https://www.freebsd.org/doc/handbook/pgpkeys.html Cheers, -- Evilham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d99e85c6-aeb1-4b4f-a44d-d96ec4e5e67b>