On Wed, Jun 29, 2016 at 03:22:33PM -0700, Yuri wrote:
> On 06/29/2016 14:59, Glen Barber wrote:
> >If I understand what you mean correctly, that would imply poudriere is
> >responsible for the contents of base.txz, which it is not. I think the
> >better solution (if I understood correctly) is RE needs to PGP-sign the
> >releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> >it in the announcement email for the release, as well as on the website.
> >
> >Please correct me if I did misunderstand.
> >
> >This way, poudriere could verify the hash of the file against what it
> >has downloaded, in addition to verifying the PGP fingerprint.
>
>
> Yes, only MANIFEST should be signed, I made a mistake suggesting that all
> binaries should be signed.
> Ok, got it. > I don't quite understand the connection between the poudriere run and the > announcement email. Could you please elaborate on this? Just downloading > something from the website isn't secure either. > The only correlation there is a link to a web page containing PGP-signed checksum files (for the ISOs). This is "new" as of 10.2-RELEASE. So, what I mean (or meant to say) is poudriere could fetch the base.txz file, fetch the signed checksum (of the MANIFEST), and compare it against something like this: https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc Hopefully that makes it a bit more clear on what I meant. Glen
signature.asc
Description: PGP signature
