# Validate FreeBSD distribution files



## mms (Nov 11, 2020)

I'm looking for a cryptographic safe way to validate FreeBSD distribution files.

There are two use cases I would like to cover:

*1 - Fully automated deployment via bsdinstall(8) on the installation ISO*

General workflow: fetch installation ISO, customize ISO, boot ISO to bsdinstall the system.

The input to the process is the URL to an installation ISO and I would like to validate the ISO (validating checksum from the MANIFEST at the same location is not sufficient).

There are signed FreeBSD 12.1 Release Checksum Signatures, but I did not find a way to confirm that the key is actually authentic.

*2 - Provisioning of Jails*

General workflow: fetch base.txz, extract it to the jail's root directory

The input to the process is the URL to base.txz. I would like to validate the package (again, validating the checksum from the MANIFEST is not sufficient).

Unfortunately, for this there are no cryptographic signed signatures available at all. The release checksum signatures mentioned above do not contain this file.


I would be extremely grateful for any pointers, as I cannot believe there is no safe way to validate a FreeBSD release in 2020.


----------



## SirDice (Nov 11, 2020)

mms said:


> There are signed FreeBSD 12.1 Release Checksum Signatures, but I did not find a way to confirm that the key is actually authentic.


If I'm not mistaken that's signed with the security officer's key: https://www.freebsd.org/security/


----------



## mms (Nov 11, 2020)

No, unfortunately they are not (or I'm doing something terribly wrong):

```
$ fetch https://www.freebsd.org/releases/12.1R/CHECKSUM.SHA512-FreeBSD-12.1-RELEASE-amd64.asc
CHECKSUM.SHA512-FreeBSD-12.1-RELEASE-amd64.asc        2693  B   82 MBps    00s

$ fetch https://www.freebsd.org/security/so_public_key.asc
so_public_key.asc                                     4369  B  126 MBps    00s

$ gpg --import so_public_key.asc
gpg: key D39792F49EA7E5C2: 2 signatures not checked due to missing keys
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key D39792F49EA7E5C2: public key "FreeBSD Security Officer <security-officer@FreeBSD.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

$ gpg --verify CHECKSUM.SHA512-FreeBSD-12.1-RELEASE-amd64.asc
gpg: Signature made So.  3 Nov. 22:56:23 2019 CET
gpg:                using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293
gpg: Can't check signature: No public key
```


----------



## SirDice (Nov 11, 2020)

I wasn't really sure, the security officer's key seemed the most appropriate. Does this help: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html


----------



## mms (Nov 11, 2020)

Yes it does!

Funny enough, I have found that page already a couple of days ago, but for some reason missed the PGP keyring (which is what you need to import):

```
$ fetch https://www.freebsd.org/doc/pgpkeyring.txt                                                                                   
pgpkeyring.txt                                        5384 kB 1646 kBps    03s                                                                                 

$ gpg --import pgpkeyring.txt                                                                                                    
...
gpg: Total number processed: 608
gpg:     skipped PGP-2 keys: 22
gpg:               imported: 585
gpg:              unchanged: 1
gpg: no ultimately trusted keys found

$ gpg --verify CHECKSUM.SHA512-FreeBSD-12.1-RELEASE-amd64.asc
gpg: Signature made So.  3 Nov. 22:56:23 2019 CET
gpg:                using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293
gpg: Good signature from "Glen Barber <gjb@FreeBSD.org>" [unknown]
gpg:                 aka "Glen Barber <glen.j.barber@gmail.com>" [unknown]
gpg:                 aka "Glen Barber <gjb@glenbarber.us>" [unknown]
gpg:                 aka "Glen Barber <gjb@keybase.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E  A7BE 524F 0C37 A0B9 46A3
     Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6  4DA3 0314 58A5 478F E293
```
So at least I've got my first use case covered.

The second one is still open, though, as I couldn't find any signed checksum for base.txz. This means the only safe way to retrieve it is through extracting it from the ISO, correct?


----------

