On Wed, Jun 29, 2016 at 02:21:00PM -0700, Yuri wrote: > Both system installer and poudriere jails take images from > http://ftp.freebsd.org/pub/FreeBSD/releases/ > > But I can't see that there is a signature anywhere there that is verified > during the download. > > For example, pkg(8) uses the key fingerprint > /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify downloads. > This is the only file under /usr/share/keys/ > > > Does this mean that system images aren't verified and MITM is possible, or I > am missing something? >
This is different than pkgbase, the base.txz and kernel.txz, etc., are not what would have been installed with pkg(8). When pkgbase is ready, yes, they will be signed. The MANIFEST for the base.txz is checked by bootonly.iso when installing (it has a local version of the file), so the security model here is: - bootonly.iso is downloaded, checksums compared to the PGP-signed email and the image is "good"; - bsdinstall(8) fetches the remote files, and compares their hashes against a known-good MANIFEST (it is part of its filesystem, /usr/freebsd-dist/). But you raise a good point, poudriere does not have a good way to validate the base.txz unless it also unpacks bootonly.iso (or any of the installer media) and compares the checksums. Glen
signature.asc
Description: PGP signature
