Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 05 Feb 2001 23:33:26 -0700
From:      Wes Peters <wes@softweyr.com>
To:        Markus Holmberg <markush@acc.umu.se>
Cc:        freebsd-security@freebsd.org, freebsd-ports@freebsd.org
Subject:   Re: Package integrity check?
Message-ID:  <3A7F9AB6.5CAA983B@softweyr.com>
References:  <20010205210459.A2479@acc.umu.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
Markus Holmberg wrote:
> 
> Hello.
> 
> Is there any way to perform an integrity check on packages that are fetched
> with "pkg_add -r <packagename>"?
> 
> (Similarly to building a package manually with a trusted /usr/ports and
> checksumming downloaded files)
> 
> I assume there is no way to do integrity checking on packages, which
> leads me to the question if the general opinion among the security
> conscious is that packages (from untrusted parties, like any ftp site on
> the mirror list) should not be used at all?

I have package signing tools, integrated into the pkg_ commands, sitting
on Freefall waiting to be committed.  They let you sign a package with
an MD5 checksum (this mechanism is a little weird, inherited from the 
OpenBSD code), a PGP signature (this code is also inherited from OpenBSD,
uses PGP 2.xx command line tools, and kinda sucks in my opinion) and
X.509 signatures.  If you need it, I'll go ahead and commit what I have.

I opened a discussion about this on the -ports mailing list a while ago, 
which immediately veered off into outer space.  I haven't commited these 
bits since then, but am willing to do so now.  We could discuss some of the
sensible things people asked for and add them after the fact.  For instance,
somebody mentioned that pkg_info should report if the package is signed or
not; pkg_add should (perhaps optionally) refuse to install a signed package
whose signature does not match.  What is not clear is whether it is OK
to force pkg_add and pkg_info to link against the crypto libraries, or if
they should call the pkg_check executable (if it is installed) to do the
work.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7F9AB6.5CAA983B>