Cryptographically sign every (sub-)release
As it is quite easy for an active adversary to inject arbitrary data, every release should be signed, not only hashed.
#1 Updated by Jim Pingle about 6 years ago
- Priority changed from Very High to Normal
They are all currently signed with gzsig. Update files have their signature checked before being applied. So do packages (on 2.2). I'll leave this open for others here to comment, there may be some area that could be improved, but it is already done, though not quite so simple for the average user to verify.
#3 Updated by Jim Pingle about 6 years ago
Yes, all of the files including the ISO and IMG files are gzipped and signed with gzsig which adds signature metadata to the file. It must be checked with a program that understands the signature made by gzsig, and it is checked against the public key found in the release: source:etc/pubkey.pem
#5 Updated by Jim Pingle about 6 years ago
Yeah, hence my saying "not quite so simple for the average user to verify". :-)
We keep our own copy of gzsig in our tools repository, source and all, so we don't rely on an outside source that could be compromised.
Easiest way to verify would be to drop the file onto a running pfSense system (VM, etc) and run gzsig from there.
#6 Updated by Chris Buechler about 6 years ago
Updates are signed and validated. The downloads page has a link to the md5 and sha256 hash files for your selected download via HTTPS. So there are secure means of validating your downloads. Still, signing ISO and img files as an additional option isn't a bad idea.