|Summary:||Please have signatures for all distribution files that users download|
|Product:||Base System||Reporter:||Yuri Victorovich <yuri>|
|Component:||misc||Assignee:||FreeBSD Release Engineering <re>|
|Severity:||Affects Only Me||CC:||lwhsu|
Description Yuri Victorovich 2019-07-04 00:31:27 UTC
AFAIK, the key referred to in /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is only used to sign the package database when it is downloaded by pkg(8). Users sometimes also need to download base.txz and other files, and these files are just on FTP, for 12.0-STABLE they are here: ftp://ftp1.freebsd.org/pub/FreeBSD/snapshots/arm64/12.0-STABLE/ The MANIFEST file there has sha256 fingerprint, but the MANIFEST file is on the same FTP and isn't signed either. Use case: software package needs to download base.txz to initialize a jail. Currently, base.txz isn't authenticated by the signature, and has to be downloaded from the insecure FTP. Please sign all files distributed through FTP with the sake key that you is used to sign the package database.