Feature #4472
open
Cryptographically sign every (sub-)release
Added by Patrick Hieber over 9 years ago.
Updated about 5 years ago.
Description
As it is quite easy for an active adversary to inject arbitrary data, every release should be signed, not only hashed.
- Priority changed from Very High to Normal
They are all currently signed with gzsig. Update files have their signature checked before being applied. So do packages (on 2.2). I'll leave this open for others here to comment, there may be some area that could be improved, but it is already done, though not quite so simple for the average user to verify.
Yes, all of the files including the ISO and IMG files are gzipped and signed with gzsig which adds signature metadata to the file. It must be checked with a program that understands the signature made by gzsig, and it is checked against the public key found in the release: source:etc/pubkey.pem
Yeah, hence my saying "not quite so simple for the average user to verify". :-)
We keep our own copy of gzsig in our tools repository, source and all, so we don't rely on an outside source that could be compromised.
Easiest way to verify would be to drop the file onto a running pfSense system (VM, etc) and run gzsig from there.
Updates are signed and validated. The downloads page has a link to the md5 and sha256 hash files for your selected download via HTTPS. So there are secure means of validating your downloads. Still, signing ISO and img files as an additional option isn't a bad idea.
- Category set to Build / Release
Also available in: Atom
PDF