On Sat, Jan 25, 2020 at 08:00:07PM +0000, Nathan Dorfman wrote: > Hello all, > > I really hope I'm missing something here, and we can all have a nice > chuckle at my expense. > > But I can't see any way the integrity of the installer sets (base.txz, > kernel.txz and friends) can be verified cryptographically? There is a > MANIFEST file containing SHA256 checksums, but it itself does not appear > to be signed in any way. > > The installer images do come with PGP-signed checksums. So, when using > an image that already contains all the sets, one can be sure they are > authentic. What happens when one uses a network-only installer, though? > How can it authenticate the sets it downloads from the user's chosen > mirror? > > A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, > in fact, do that. Checksums are compared against the MANIFEST (in > scripts/checksum), but that is itself simply downloaded from the same > mirror (in scripts/jail), usually over plain FTP, without any > authentication. >
No, this last part is not true. The installer always verifies the checksums against /usr/freebsd-dist/MANIFEST on the installation medium. In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS variable explicitly contains the MANIFEST. Glen
signature.asc
Description: PGP signature