Date: Wed, 29 Jun 2016 23:48:41 +0000 From: Glen Barber <gjb@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org, Colin Percival <cperciva@freebsd.org> Subject: Re: Are signatures of system images verified? Message-ID: <20160629234841.GP1453@FreeBSD.org> In-Reply-To: <20160629234645.GO1453@FreeBSD.org> References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> <20160629234645.GO1453@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--EkxpYdHiqGHPYbUt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jun 29, 2016 at 11:46:45PM +0000, Glen Barber wrote:
> On Wed, Jun 29, 2016 at 04:38:05PM -0700, Bryan Drewery wrote:
> > On 6/29/2016 4:03 PM, Glen Barber wrote:
> > > On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> > >> On 06/29/2016 14:59, Glen Barber wrote:
> > >>> If I understand what you mean correctly, that would imply poudriere=
is
> > >>> responsible for the contents of base.txz, which it is not. I think=
the
> > >>> better solution (if I understood correctly) is RE needs to PGP-sign=
the
> > >>> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and in=
clude
> > >>> it in the announcement email for the release, as well as on the web=
site.
> > >>>
> > >>> Please correct me if I did misunderstand.
> > >>>
> > >>> This way, poudriere could verify the hash of the file against what =
it
> > >>> has downloaded, in addition to verifying the PGP fingerprint.
> > >>
> >=20
> > FYI since Poudriere 3.1.11, it has compared the checksums in the
> > MANIFEST against the downloaded packages. It also now uses
> > https://download.freebsd.org by default. It requires
> > security/ca_root_nss. I thought I had forced that dependency but it was
> > missing. It is added now.
> >=20
>=20
> Ah, great, thank you. To those interested, the MANIFEST files included
> were obtained in a secure manner, i.e., bootonly.iso was downloaded and
> extracted after the checksum was compared to the PGP-signed email.
>=20
Uhm, to lessen confusion, this last sentence...
> > Around that time (January 2016), Colin Percival has been maintaining a
> > copy of the MANIFESTS in ports-mgmt/poudriere as well. Those get
> > installed with Poudriere and used during jail -c after fetching if
> > available, so that relying on https isn't required. These were missing
> > for ports-mgmt/poudriere-devel until just now. I've moved them to
> > misc/freebsd-release-manifests and made both ports depend on it.
> >=20
>=20
> I completely forgot about this. Thank you.
>=20
=2E.. should have been here. :(
Glen
--EkxpYdHiqGHPYbUt
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXdF5ZAAoJEAMUWKVHj+KTtcMP/ApeNIeaHhXQrTLBHZE8oeMr
NV8W31fTHWA9FT3wvl3iGcSQ2xKfGgfxOw5OfsN46wdHmW5Mu9uO4rrK72XglSGN
oIU16dXGVUgXlXtTcXSF7CF0InF2WIhzsGFT5t8Rw/NNdhuHtIE9bap3F46yLPSR
MRu1DumRhUwuVXQyU+fWgSpXsO+06VverQbjP2LsUnD87yYmBRWKQ+HRD8OiR+mY
/stIHgrFy2NLIDCwfVz4ejZpJplLgQMlbR2lLVShMBF4JGpEJvxzwggvB03DIYwZ
RCq1fTSC2e9y+dcbcbxkdsenNQ8nk65n0Ju5BMftugnyE68aYiURXdCrhRdrktz5
r/bdcNAitWTQ1+T4GHzcv0ynU7PBd1fF/3XyKLvNgMSSDh0xWH0fQ7t4JCHc63OB
eoOpHNK3mmdw8PPxIGKuBwUYc5WeO/qaNWHEr5uMxAjALqT1x38Utm88ORqDhoKU
p9S/wBqYVGFadsDtKutsduHF2qMebEP/Y6DHmf36g5CXKGemJoQLZFQFArls/EMj
ioVf2L8hkpcYn1vczgovZZjSzzT2U9ovcXWzJTwlm4a4SnSu5va+S+Uzj3/5x+ks
zeMq89+8OEEjNz/gLKig7kbDlyjOES/1oYa35Z1GXs9eInmi5yWHA/mSY00QcqPY
PIh21tGwixMM4Um16K2B
=Nqwy
-----END PGP SIGNATURE-----
--EkxpYdHiqGHPYbUt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160629234841.GP1453>