[Feature request] Ipfire binary signing

Help on building IPFire & Feature Requests
Post Reply
gpatel-fr
Posts: 39
Joined: July 24th, 2019, 7:59 am

[Feature request] Ipfire binary signing

Post by gpatel-fr » August 22nd, 2019, 7:40 am

Hello

Maybe I missed something, but I don't see any binary signing on the download page:
https://www.ipfire.org/download/ipfire-2.23-core134
A small additional security could be to provide by a GPG signature to protect against a compromise of downloads.ipfire.org.
It may be paranoid, but I checked on 3 distros: debian, ubuntu, alpine and they are doing it.

ummeegge
Community Developer
Community Developer
Posts: 4923
Joined: October 9th, 2010, 10:00 am

Re: [Feature request] Ipfire binary signing

Post by ummeegge » September 11th, 2019, 2:12 pm

Hi,
Pakfire checks for a valid signature --> https://git.ipfire.org/?p=ipfire-2.x.gi ... 2e9eb#l273 but (de)crypts it also --> https://git.ipfire.org/?p=ipfire-2.x.gi ... 2e9eb#l692 .

Best,

UE
Image
Image

gpatel-fr
Posts: 39
Joined: July 24th, 2019, 7:59 am

Re: [Feature request] Ipfire binary signing

Post by gpatel-fr » September 11th, 2019, 6:48 pm

ummeegge wrote:
September 11th, 2019, 2:12 pm
Pakfire checks for a valid signature
Well, yes, I did know that.
How exactly can pakfire protect anything if the downloaded ISO (on which it is provided) is contaminated by malware ?
The scenarios are not very probable, yes:
- compromise of the main web server
- dns poisoning
, but all distros are protecting against these risks by signing downloaded images (or more precisely signing the hashes), why not ipfire ?

ummeegge
Community Developer
Community Developer
Posts: 4923
Joined: October 9th, 2010, 10:00 am

Re: [Feature request] Ipfire binary signing

Post by ummeegge » September 11th, 2019, 7:01 pm

You can find the SHA256 Hash for every ISO on the download site e.g. --> https://www.ipfire.org/download/ipfire-2.23-core135 under "Checksums"

UE
Image
Image

gpatel-fr
Posts: 39
Joined: July 24th, 2019, 7:59 am

Re: [Feature request] Ipfire binary signing

Post by gpatel-fr » September 11th, 2019, 7:57 pm

ummeegge wrote:
September 11th, 2019, 7:01 pm
You can find the SHA256 Hash for every ISO on the download site e.g. --> https://www.ipfire.org/download/ipfire-2.23-core135 under "Checksums"
I am talking about *signing the hashes*, I am not asking where they are.

Take a look at this page:

http://releases.ubuntu.com/bionic/

As with ipfire, there are iso files; there are also sha hashes.

But contrary to ipfire, there is also gpg files.

These .gpg files can be used to verify the sha hashes. So the user can verify that the sha hashes are genuine and they are the true hashes generated by the developers on their (supposed well protected) computers. Once it is done, the sha checksuming of the iso is more meaningful with Ubuntu isos that it is the case with Ipfire isos.

ummeegge
Community Developer
Community Developer
Posts: 4923
Joined: October 9th, 2010, 10:00 am

Re: [Feature request] Ipfire binary signing

Post by ummeegge » September 12th, 2019, 5:15 am

I see. May a good idea if you take your request to the developer mailinglist --> https://lists.ipfire.org/mailman/listinfo/development or to the bugtracker -->
https://bugzilla.ipfire.org where you might get a faster response to this idea.

Best,

UE
Image
Image

gpatel-fr
Posts: 39
Joined: July 24th, 2019, 7:59 am

Re: [Feature request] Ipfire binary signing

Post by gpatel-fr » September 13th, 2019, 9:22 pm

I registered at bugzilla.ipfire.org, posted a new bug, noticed it was duplicating an existing one :-(

https://bugzilla.ipfire.org/show_bug.cgi?id=11345

Post Reply