Unable to find signature files for installer downloads
-
Yawn. I'd rather see pfsense.org DNSSEC signed and using TLSA. gzsig my ass.
-
So in the end the only thing I can really do is download all installation files from all the mirrors and compare their checksums and if they all match, I shall hope for the best…
I really do understand that certain features are not possible with pfSense and would require extensive funding, but signing? That can be automated and doesn't require anything beyond verifying it regularly once it is set up.
What does DNSSEC have to do with my topic?
-
What does DNSSEC have to do with my topic?
Since you are so horribly concerned you are not getting the real thing, surely being able to verify that you are downloading things from the proper site would help? So you want to verify some signature, now what's the point when that proper signature needs to be published somewhere on the website so that you could verify it. Kinda useless when you can publish anything via MITM.
Overall, being able to verify something against checksums published on a trusted site a hell lot easier than messing with some cryptic gpnug/gzsig nonsense that 99% of users absolutely do not understand and have no desire to learn. Make a poll here and ask about about how many of them understand how's the signature verification of upgrades/packages working and see for yourself.
P.S. Contrary to your beliefs, implementing this gnupg stuff on infrastructure is a giant pain to start with, go read the Gentoo -dev ML archives.
-
Since you are so horribly concerned you are not getting the real thing
Tell me: Did you phrase it like this on purpose? Should I not be horribly concerned when I know that my own government has their spy equipment installed at a hop that all the traffic of our company comes across? When I have to assume that other governments do the same thing (GCHQ, NSA)?
So you want to verify some signature, now what's the point when that proper signature needs to be published somewhere on the website so that you could verify it.
I was talking about verification via GnuPG. DNSSEC won't be less of a "giant pain" than GnuPG. GnuPG might be a giant pain, but mostly because of problems with the web of trust, not because of setting it up.
messing with some cryptic gpnug/gzsig nonsense that 99% of users absolutely do not understand
I see. So apparently GnuPG is now nonsense - "gpnug" certainly is, I agree. I also like how you made up the percentage number :) I cannot speak for other users and what they understand or not understand. I do care for it and it's not a very exotic or unreasonable thing to ask for.
This discussion with you adds nothing valuable to this topic, but I suppose I got the answer to my question: There are no signatures to verify. While I'd like to know more about it and possibly find a way to resolve this issue, I do realize this is not the right forum for that.
-
Should I not be horribly concerned when I know that my own government has their spy equipment installed at a hop that all the traffic of our company comes across? When I have to assume that other governments do the same thing (GCHQ, NSA)?
I sincerely hope you are actively avoiding any Intel HW… especially on your firewall. If not, all of this is a totally moot point.
-
Something like this doesn't seem like too much to ask.
https://www.freebsd.org/releases/10.1R/announce.asc
-
Something like this doesn't seem like too much to ask.
https://www.freebsd.org/releases/10.1R/announce.asc
Yeah. And note that freebsd.org is DNSSEC signed and has a TLSA record for https://www.freebsd.org. Without this, publishing similar stuff is essentially useless when you are concerned about MITM.
-
Useless how? If I've had the FreeBSD security team's public key for years, any alterations to the file can be detected if an MITM wants to play games. The communications channel doesn't matter if I can reliably verify the contents of the message.
-
If I've had the FreeBSD security team's public key for years
That's extremely relevant for those loads of people that don't have it. Or when the key gets revoked. Or when it expires.
-
Key management can be a hassle, yes. Not too bad for those who actually try to verify the integrity of their downloaded firewall software prior to use. Only a few people have to be doing it. They can raise the flag if they see something amiss.
You can stop trying to convince me of all the reasons this is not a good idea. You are wrong. It's the best, currently-available solution to the problem. Yes, they should also DNSSEC.
They should also PGP sign their announcements. Even if posted to the forum or blog there should be at least a link to the PGP-signed version.
