Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Re: online cheksum verification for FreeBSD

0 views

Skip to first unread message

Elmar Stellnberger

unread,

Mar 18, 2010, 3:19:59 PM3/18/10

to freebsd-...@freebsd.org, m...@micheas.net

Unfortunately pkg_check&sign do not seem to exist any more:

from 8.0 relnotes: "The pkg_sign and pkg_check utilities for
cryptographically signing FreeBSD packages have been removed. They were
only useful for packages compressed using gzip(1); however bzip2(1)
compression has been the norm for some time now.

Besides this I would need pkg_sign to take the checksums from the
respective .tbz instead of the local file system.
" For sha1, it checksums the file and verifies that the result matches
the list of checksums recorded in /var/db/pkg/SHA1."

Moreover I would need a script that just downloads the package headers;
not the whole packages
because otherwise the check procedure would last aeons.

I thought there was a version of bzip2 that did signing/encrypting but
guess not ... in any case it is not what freebsd uses

That way it seemes to me as the easiest viable way to simply provide
external checksum lists as the package management depeers a proper
checksum handling. Such lists do already exist for Windows and OSX. That
way we would not even need a new tool; just checksum lists the user can
verify himself. For Linux on the other hand cheksums are provided by the
package headers so that we do not need separate checksum lists.

>
> You can download the packages from:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/
>
> and run pkg_check You might be able to extract the signature
> from the package.
>
> The packages themselves are signed. There is no separate
> signature file. /etc/ssl/pkg.crt is the location of the public
> key for the packages.
>

P.S.: Sorry for my late reply
I must have overlloked your message as I have not been subscribed to
freebsd-security.

Remko Lodder

unread,

Mar 19, 2010, 3:06:04 PM3/19/10

to Elmar Stellnberger, freebsd-...@freebsd.org, m...@micheas.net

On Mar 18, 2010, at 8:19 PM, Elmar Stellnberger wrote:
>

One can donate funds to the FreeBSD Foundation and submit a proposal to get this included.
Since we are all volunteers this might be something that isn't going to see the light soon.
You could ofcourse install something like tripwire and get a baseline from a trusted CD (you can
verify the ISO Files that we deliver) and use that to build your system.

Thanks,
Remko
(Speaking for myself)

--
/"\ Best regards, | re...@FreeBSD.org
\ / Remko Lodder | remko@EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

0 new messages