Does pkg perform integrity checks other than for its manifest?
7 views
Skip to first unread message
Dewayne Geraghty
Aug 5, 2025, 9:39:19 PMAug 5
to us...@hardenedbsd.org
This morning I decided to use signatures with my locally built
/packages. Following the instructions in "man pkg-repo" and examining
the resulting packagesite.pkg we find
signature
packagesite.yaml
For ease I'll use the smallest pkg that I have on my system
beep-1.0_2.pkg as the working example. I store all my packages under
/packages.
I can successfully perform "pkg install".
With further testing including (aka maliciously change)
# cp -pv /packages/All/sudo-1.9.17p1.pkg /packages/All/beep-1.0_2.pkg
# pkg install beep
Updating HardenedBSD repository catalogue...
HardenedBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
...
Extracting sudo-1.9.17p1: 100%
I'm perplexed as the integrity check should've failed, unless its only
checking the "signature" against packagesite.yaml? Within
packagesite.yaml there is a sha256 for each package and the hash for the
original beep-1.0_2.pkg matches but (remember I copied sudo over the
beep package)
# pkg check -v beep
Checking beep-1.0_2: checksums... done
I'm starting to wonder if the package signature or hashes are used for
checking or perhaps something is badly broken including my assumption of
what pkg does. I'd appreciate if someone who uses signatures for their
packages would enlighten me.
Platform: HardenedBSD 14.3, pkg is 2.2.1, openssl 3.5.1
Cheers, Dewayne.
PS I'm writing here because we're probably a little bit more interested
in integrity ;)
/packages. Following the instructions in "man pkg-repo" and examining
the resulting packagesite.pkg we find
signature
packagesite.yaml
For ease I'll use the smallest pkg that I have on my system
beep-1.0_2.pkg as the working example. I store all my packages under
/packages.
I can successfully perform "pkg install".
With further testing including (aka maliciously change)
# cp -pv /packages/All/sudo-1.9.17p1.pkg /packages/All/beep-1.0_2.pkg
# pkg install beep
Updating HardenedBSD repository catalogue...
HardenedBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
...
Extracting sudo-1.9.17p1: 100%
I'm perplexed as the integrity check should've failed, unless its only
checking the "signature" against packagesite.yaml? Within
packagesite.yaml there is a sha256 for each package and the hash for the
original beep-1.0_2.pkg matches but (remember I copied sudo over the
beep package)
# pkg check -v beep
Checking beep-1.0_2: checksums... done
I'm starting to wonder if the package signature or hashes are used for
checking or perhaps something is badly broken including my assumption of
what pkg does. I'd appreciate if someone who uses signatures for their
packages would enlighten me.
Platform: HardenedBSD 14.3, pkg is 2.2.1, openssl 3.5.1
Cheers, Dewayne.
PS I'm writing here because we're probably a little bit more interested
in integrity ;)
Reply all
Reply to author
Forward
0 new messages