Project

General

Profile

Actions

Feature #4472

open

Cryptographically sign every (sub-)release

Added by Patrick Hieber about 9 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Build / Release
Target version:
-
Start date:
02/25/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

As it is quite easy for an active adversary to inject arbitrary data, every release should be signed, not only hashed.

Actions #1

Updated by Jim Pingle about 9 years ago

  • Priority changed from Very High to Normal

They are all currently signed with gzsig. Update files have their signature checked before being applied. So do packages (on 2.2). I'll leave this open for others here to comment, there may be some area that could be improved, but it is already done, though not quite so simple for the average user to verify.

Actions #2

Updated by Patrick Hieber about 9 years ago

I cannot find signatures when opening a mirror directory (e.g. http://files.nl.pfsense.org/mirror/downloads/). I meant the ISO and IMG files.

Actions #3

Updated by Jim Pingle about 9 years ago

Yes, all of the files including the ISO and IMG files are gzipped and signed with gzsig which adds signature metadata to the file. It must be checked with a program that understands the signature made by gzsig, and it is checked against the public key found in the release: source:etc/pubkey.pem

Actions #4

Updated by Patrick Hieber about 9 years ago

Uhh - what a rare animal! I wasn't aware of gzsig so far.

Let's hope the attack on monkey.org, hosting also gzsig, hasn't affected gzsig-0.1 itself...
http://www.net-security.org/article.php?id=124
http://www.monkey.org/~dugsong/gzsig-0.1.tar.gz

Actions #5

Updated by Jim Pingle about 9 years ago

Yeah, hence my saying "not quite so simple for the average user to verify". :-)

We keep our own copy of gzsig in our tools repository, source and all, so we don't rely on an outside source that could be compromised.

Easiest way to verify would be to drop the file onto a running pfSense system (VM, etc) and run gzsig from there.

Actions #6

Updated by Chris Buechler about 9 years ago

Updates are signed and validated. The downloads page has a link to the md5 and sha256 hash files for your selected download via HTTPS. So there are secure means of validating your downloads. Still, signing ISO and img files as an additional option isn't a bad idea.

Actions #7

Updated by Jim Pingle over 4 years ago

  • Category set to Build / Release
Actions

Also available in: Atom PDF