Bug 238975 - Please have signatures for all distribution files that users download
Summary: Please have signatures for all distribution files that users download
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: sec-team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-04 00:31 UTC by Yuri Victorovich
Modified: 2019-07-04 11:11 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer 2019-07-04 00:31:27 UTC
AFAIK, the key referred to in /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is only used to sign the package database when it is downloaded by pkg(8).

Users sometimes also need to download base.txz and other files, and these files are just on FTP, for 12.0-STABLE they are here: ftp://ftp1.freebsd.org/pub/FreeBSD/snapshots/arm64/12.0-STABLE/
The MANIFEST file there has sha256 fingerprint, but the MANIFEST file is on the same FTP and isn't signed either.

Use case: software package needs to download base.txz to initialize a jail.
Currently, base.txz isn't authenticated by the signature, and has to be downloaded from the insecure FTP.

Please sign all files distributed through FTP with the sake key that you is used to sign the package database.