Signing of base and package tarballs has been implemented in current,
and will be included in the next release.
-Otto
On Tue, Feb 04, 2014 at 02:00:35PM +0100, Kim Twain wrote:
> Hi. I'm seeing, in this mailing list, much talk about the datagate and
> related matters, and I can see why the topic may be of interest to
> many OpenBSD users.
>
> Anyway, I really like OpenBSD, but I always restrain myself from using
> it on a desktop machine for a single reason: while pkg_add supports
> signed packages, those provided by the OpenBSD project aren't.
>
> You can easily find other similar complaints on the internet... but I
> really fail to understand why the project isn't providing signed
> packages, when there is already support for it.
>
> Why do signed packages matter?
> Well, I can fetch the ports tree in a secure way, verify its integrity
> and origin, and then ports definitions contain source packages hashes.
> I like the idea and the flexibility, but on desktop computers, it may
> be undesirable to compile software, especially big suites like X,
> Gnome, Firefox, LibreOffice.
>
> This gets even worse when the "desktop" is a laptop computer, like in my case.
>
> I won't use unsigned packages, because there's a concrete risk of
> corruption, I don't know if I should trust the mirror, and even with
> the official OpenBSD mirrors... it's easy, really easy, for someone to
> run an http/ftp MITM on me and give me a backdoored, or trojaned,
> binary package.
>
> Not only on a free WiFi, on a hotel, abroad, but even using a "secure"
> connection, it's easy for the isp, or the government, to just give me
> a "bad" bash package, and gain root in a clap of hands.
>
> Then, the datagate revealed how it's easy to modify stream "in
> between": if there are people capable of intercepting someone request
> to linkedin on a rogue router in the path, and immediately give back a
> page that contains a browser exploit, before the real site can produce
> a response, how it's easy to intercept, say, a pkg_add update to an
> openbsd mirror and give back a backdoored package? I'm not talking
> only about the five eyes, any government, even private entities, are
> capable of this.
>
> That's the reason why almost all gnu/linux distributions sign packages.
> Even other *BSD distributions are starting to adopt signed binary
> packages: pkg(ng), on freebsd, checks that the repository signature is
> made with the right key. It calculates the public key's hash, and
> confronts it with the hash present in /usr/share/keys/pkg/trusted/.
> The repository definition contains a list of packages' hashes, which
> is the signed part. Every package provides a signature of all files
> provided. TL;DR: pkgng is totally signed.
>
> and pkg_add, as I already stated, while it doesn't have the concept of
> a "repository", still supports individually signed packages. What is
> holding the OpenBSD project from implementing signed binary packages,
> and, is it planned?
