• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Verifying repository data

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
5 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    bigguy_
    last edited by Sep 5, 2017, 3:23 PM

    I have downloaded the repository data from pkg.pfsense.org but am unable to verify the validity of the signature using openssl.

    I have tried openssl sha256 -verify digests.pub -signature digests.sig digests

    I get the error Verification Failed

    I also tried openssl rsautl -pubin -inkey digests.pub -verify -in digests.sig -asn1parse

    I get an output of a signed sha256 hash but the hash doesn't match the output of sha256sum digests

    Should I be using a different tool for verification? How are the signatures actually generated? There is very little documentation on how signing works when using an external signing server as pfsense does.  I found this
    https://github.com/pfsense/pfsense/blob/master/tools/builder_defaults.sh

    It says the command to sign repository data is "ssh sign@codesigner.netgate.com sudo ./sign.sh" Unfortunately the source code for "sign.sh" doesn't seem to be available.

    1 Reply Last reply Reply Quote 0
    • P Offline
      PiBa
      last edited by Sep 5, 2017, 10:21 PM

      This should be all for 'sign.sh':  https://github.com/freebsd/pkg/blob/master/scripts/sign.sh

      #!/bin/sh
      # Example signing script. See pkg-repo(8) for more information.
      set -e
      
      read -t 2 sum
      [ -z "$sum" ] && exit 1
      echo SIGNATURE
      echo -n "$sum" | /usr/bin/openssl dgst -sign repo.key -sha256 -binary
      echo
      echo CERT
      cat repo.pub
      echo END
      
      1 Reply Last reply Reply Quote 0
      • B Offline
        bigguy_
        last edited by Sep 6, 2017, 1:13 PM

        If openssl is used to make a sha256 digest then it should also work to verify the same. I can't think of a good reason why it should have given a verification error other than the checksum failed. Am I overlooking something? Maybe I should bring this to the attention of the security team. Can you check to see if verification fails for you also?

        The command "openssl sha256 -verify digests.pub -signature digests.sig digests" should be identical to
        "openssl dgst -verify digests.pub -sha256 -signature digests.sig digests"

        1 Reply Last reply Reply Quote 0
        • J Offline
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 7, 2017, 8:58 PM

          Looks good to me.

          : egrep '(signature|fingerprints)' /usr/local/etc/pkg/repos/pfSense.conf | sort | uniq
            fingerprints: "/usr/local/share/pfSense/keys/pkg",
            signature_type: "fingerprints",
          
          : ls -l /usr/local/share/pfSense/keys/pkg
          total 1
          drwxr-xr-x  2 root  wheel  2 Sep  6 09:35 revoked
          drwxr-xr-x  2 root  wheel  4 Sep  6 09:35 trusted
          
          : ls -l /usr/local/share/pfSense/keys/pkg/trusted
          total 9
          -rw-r--r--  1 root  wheel  95 Aug 23 09:38 beta.pfsense.org.20151223
          -rw-r--r--  1 root  wheel  95 Aug 23 09:38 pkg.pfsense.org.20160406
          
          : cat /usr/local/share/pfSense/keys/pkg/trusted/pkg.pfsense.org.20160406 
          function: sha256
          fingerprint: 30be9cc2e7b2b3ba1ff3b2be1795f3f0719ab9a65322695703dc7b8f004035a8
          
          : fetch https://files00.netgate.com/pfSense_v2_4_0_amd64-core/digests.txz
          digests.txz                                   100% of 1516  B   11 MBps 00m00s
          
          : tar xvzf digests.txz 
          x digests.sig
          x digests.pub
          x digests
          
          : openssl sha256 digests.pub 
          SHA256(digests.pub)= 30be9cc2e7b2b3ba1ff3b2be1795f3f0719ab9a65322695703dc7b8f004035a8
          
          

          That's for CE, factory has a different URL/digest/fingerprint.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • B Offline
            bigguy_
            last edited by Sep 8, 2017, 12:09 PM

            Yeah, verifying the sha256 sum of the public key is an important step but so is verifying the sha256 sum  and signature of the actual signed data.

            My understanding of the chain of trust is that the "fingerprint" ie sha256 sum of the public key used for signing is included in the distribution. That's step 1.

            Step 2 is using the public key to verify the signature, digests.sig.  That's what the command
            "openssl rsautl -pubin -inkey digests.pub -verify -in digests.sig -asn1parse"
            did. The fact that it returned an asn1 encoded sha256 hash tells me the signature was valid. The problem arises with step 3.

            Step 3 is verifying the asn1 encoded hash matches the sha256 sum of the actual digests file. That's where the mismatch occurs.

            See this link.
            https://lists.freebsd.org/pipermail/freebsd-ports/2014-February/089751.html

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received