pfSense

I cannot find signatures when opening a mirror directory (e.g. http://files.nl.pfsense.org/mirror/downloads/). I meant the ISO and IMG files.

Yes, all of the files including the ISO and IMG files are gzipped and signed with gzsig which adds signature metadata to the file. It must be checked with a program that understands the signature made by gzsig, and it is checked against the public key found in the release: source:etc/pubkey.pem

Uhh - what a rare animal! I wasn't aware of gzsig so far.

Let's hope the attack on monkey.org, hosting also gzsig, hasn't affected gzsig-0.1 itself...
http://www.net-security.org/article.php?id=124
http://www.monkey.org/~dugsong/gzsig-0.1.tar.gz

Yeah, hence my saying "not quite so simple for the average user to verify". :-)

We keep our own copy of gzsig in our tools repository, source and all, so we don't rely on an outside source that could be compromised.

Easiest way to verify would be to drop the file onto a running pfSense system (VM, etc) and run gzsig from there.

Updates are signed and validated. The downloads page has a link to the md5 and sha256 hash files for your selected download via HTTPS. So there are secure means of validating your downloads. Still, signing ISO and img files as an additional option isn't a bad idea.