Download release checksums via trusted connection

[gronke]

The manifest containing the release asset signatures is downloaded from the same untrusted http resource as the assets. To be an effective security feature we need to verify this signatures from trusted sources.

• downloads Hardened BSD signatures via encrypted connection
• downloads FreeBSD signatures via encrypted connection
• allows to specify a custom signature source

CLI

• allows the user to skip verification (currently --verify/--no-verify option
• allows to manually specify signatures (e.g. --signatures base=62acaee7e... or similar)

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[igalic]

is there a specific reason the images aren't downloaded https to begin with?

[gronke]

FreeBSD must have recently enabled encryption on download.freebsd.org - I can't remember this to be there when I started working on fetch! For HardenedBSD I can't find encrypted resources at this time.

[igalic]

not very hardened, imo then 😝

[gronke]

I would not consider downloading from https very secure either. It's just protecting against the simplest network attacks to compromise downloaded releases. (Btw. we do have checks of downloaded assets so that they do not compromise the host)

I would prefer to ship libiocage with a signed set of release hashes. They don't change that often and in case there is an unknown one, we can offer manual input and print a link to our issue tracker with a text snippet ready to copy/paste. We can even setup monitoring that watches MANIFEST files on the release servers for changes.

[gronke]

In irc.freenode.net #hardehedbsd @xmj mentioned we should look at the way hbsd-update update verifies the signatures.

unbound-host gave me some result, but I could not find a way to verify the txz assets from such keys. Here's an example from a test host:

# unbound-host -v -t txt -r "$(uname -m).master.11-stable.hardened.hardenedbsd.updates.hardenedbsd.org" 
amd64.master.11-stable.hardened.hardenedbsd.updates.hardenedbsd.org has TXT record "1505101784|hbsd-v1100049-548eb60819e04c5d06671a95f5a7082e194fb7d4|sha256:398c7c76884c951ba8feb3862557b1caa104b96dd2415b31e16cee48140c1ec2" (insecure)

Another thin I've noticed is the MANIFEST.asc file among the build assets. We could use that to verify the signatures file for HardenedBSD.

No progress on FreeBSD signature verification yet.

[gronke]

With #112 (f31745f) we switched the FreeBSD mirror to an encrypted resource. HardenedBSD still outstanding.

[gronke]

In the meanwhile HardenedBSD assets are also fetched via encrypted connection. Manual specification of hashes is still outstanding.

[gronke]

Releases are entirely downloaded and updated involving the trust chain and signatures obtained via HTTPS. There is still need to manually override signatures and to skip verification at all, but it is a different concern than this issue aimed to be.