The pfSense Store

Author Topic: There is no real method of verifying download integrity - we need gpg keys  (Read 1249 times)

0 Members and 1 Guest are viewing this topic.

Offline Taiidan

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +3/-5
    • View Profile
There is no real method of verifying download integrity for pfsense isos, most linux and bsd distros have a GPG key however this does not.

Downloading a checksum from a pfsense inc. controlled https server is better than what the more n00b centric distros do (regular http) but this is nowhere near good enough.


This is an urgent issue and I would like to see who I can contact about it.

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 557
  • Karma: +74/-4
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #1 on: December 28, 2016, 10:59:20 am »
SHA256 checksums of the release version download files are available from pfSense's site for verification of the download. They can be found here:

https://files.pfsense.org/hashes/

Even the daily snapshots of the development versions include SHA256 files, though those are on the same server as the snapshots are.

Edit: I see you're aware of the checksums... but my question to you is... if the server is verifiable as belonging to pfSense (through the SSL certificate) then what's the issue with using these checksums?
« Last Edit: December 28, 2016, 11:10:26 am by virgiliomi »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #2 on: December 28, 2016, 11:16:53 am »
The GPG keys are no "real method" either. https://blog.filippo.io/giving-up-on-long-term-pgp/
Do NOT PM for help!

Offline Taiidan

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +3/-5
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #3 on: December 28, 2016, 03:33:00 pm »
SHA256 checksums of the release version download files are available from pfSense's site for verification of the download. They can be found here:

https://files.pfsense.org/hashes/

Even the daily snapshots of the development versions include SHA256 files, though those are on the same server as the snapshots are.

Edit: I see you're aware of the checksums... but my question to you is... if the server is verifiable as belonging to pfSense (through the SSL certificate) then what's the issue with using these checksums?
"verifiable belonging to pfsense" ok so what is stopping someone from messing around with the .sha256 files by hacking the server or doing a MITM with a certificate from another CA?

The PKI CA system relies on every CA being honest, they won't really verify who is actually requesting a certificate even with EV and that still relies on someone actually noticing the lack of the EV box.
Certificate pinning only works until they get a new cert.

Every so often there is a story in the news about someone convincing a provider to sign for google.com or some other popular website where they really should know better.


GPG WOT signed keys are the best option available, plain and simple.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #4 on: December 28, 2016, 04:27:51 pm »
GPG WOT signed keys are the best option available, plain and simple.

Yeah, WoT. Mentioned in the link I posted. IOW, noone verifies things like this. People grab the key from a random keyserver. How's that different from grabbing a checksum from pfSense website goes beyond me.
Do NOT PM for help!

Offline Taiidan

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +3/-5
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #5 on: December 30, 2016, 07:14:36 am »
So because according to you "nobody verifies this" (how do you know that? I verify and so do people I know) we should just give up on security, surely no one will attack a distro that is used by governments and important companies.

As of now there is no way to tell if the .isos are corrupted, or if the build server is corrupted as we still don't have reproducible builds), does that seem ok to you?


Grabbing a key from a random keyserver (basic gpg verification) is much better than putting the "verification" hash on the same server as the .iso.


Does anyone know how to get in touch with whoever is actually running pfsense to ask them to do this? netgate doesn't answer my emails as I don't give them money...

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #6 on: December 31, 2016, 07:39:40 am »
Grabbing a key from a random keyserver (basic gpg verification) is much better than putting the "verification" hash on the same server as the .iso.

Exactly how's that "much better"? Put some key on keyservers and use those for signing the fake ISOs. About 99% of people out there won't bother with verifying, and 99% of the rest will use whatever key you tell them to "verify".
Do NOT PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14464
  • Karma: +1339/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
So you want them to do it like freebsd does it where they have their checksums signed, and you can get the freebsd keys

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pgpkeys/

And then you could verify the checksums with the keys, etc. Sure why not.. It too could be compromised as dok says for billy bob coming to the site and grabbing the keys to validate either off the same site or some random keyserver were anyone can just upload keys, etc..  So not so sure how much "better" it is..

Unless you have previously validated the keys, etc.  So if you had keys from say when they first release them, and have validation of those keys.  Then this would be good idea, it's a bit more work - but if pfsense is wanting to show they are going the extra mile.. Sure why not.. 

There was a recent blog article about how they had some 3rd party validation of their code done.. So yeah this might be the next step..  As to contacting them

https://www.pfsense.org/about-pfsense/#contact-us
To contact us for submitting patches, inquiring about contributing to the project, notifying us of problems with any of our web sites, or any other non-support issue email coreteam@pfsense.org.

To contact us for security issues, use security@pfsense.org

Or you could prob hit up jwt or jimp with PM here on the board fior best direction to take such a request.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Taiidan

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +3/-5
    • View Profile
Grabbing a key from a random keyserver (basic gpg verification) is much better than putting the "verification" hash on the same server as the .iso.

Exactly how's that "much better"? Put some key on keyservers and use those for signing the fake ISOs. About 99% of people out there won't bother with verifying, and 99% of the rest will use whatever key you tell them to "verify".
Forward verification and web of trust obviously.

Why are you arguing against security improvements? What is your real motive? So because most users are idiots security shouldn't be bothered with?

You and the other trolls can go fuck right off, you have no good ideas and no constructive criticism all you do is come in and shit all over the place and people who want to make a difference.
So you want them to do it like freebsd does it where they have their checksums signed, and you can get the freebsd keys

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pgpkeys/

And then you could verify the checksums with the keys, etc. Sure why not.. It too could be compromised as dok says for billy bob coming to the site and grabbing the keys to validate either off the same site or some random keyserver were anyone can just upload keys, etc..  So not so sure how much "better" it is..

Unless you have previously validated the keys, etc.  So if you had keys from say when they first release them, and have validation of those keys.  Then this would be good idea, it's a bit more work - but if pfsense is wanting to show they are going the extra mile.. Sure why not.. 

There was a recent blog article about how they had some 3rd party validation of their code done.. So yeah this might be the next step..  As to contacting them

https://www.pfsense.org/about-pfsense/#contact-us
To contact us for submitting patches, inquiring about contributing to the project, notifying us of problems with any of our web sites, or any other non-support issue email coreteam@pfsense.org.

To contact us for security issues, use security@pfsense.org

Or you could prob hit up jwt or jimp with PM here on the board fior best direction to take such a request.
Yeah thats the idea.

Thanks, I had assumed that only paying customers would receive a reply due to the new corporate types in management.

I created a bug report but jim pringle closed it as a duplicate and pretty much said that having https and another server with the checksums is good enough, which it isn't as all it takes is one rogue CA either malicious or with poor security. I will message him again....


Why the hell are people arguing against security improvements? It makes absolutely no sense.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Why are you arguing against security improvements? What is your real motive? So because most users are idiots security shouldn't be bothered with?
You and the other trolls can go fuck right off, you have no good ideas and no constructive criticism all you do is come in and shit all over the place and people who want to make a difference.
Why the hell are people arguing against security improvements? It makes absolutely no sense.

Noone's arguing against real security improvements. Wasting time on "improvements" that you just imagine to improve something (plus that a vast majority of people has no idea how to use) is just... well, waste of time. Already told you that the WOT is just something that plain does NOT work.

P.S. And yeah, my real motive is to backdoor every pfSense user, ya know, 3letter agent.  ::)
Do NOT PM for help!

Offline Nullity

  • Hero Member
  • *****
  • Posts: 973
  • Karma: +96/-9
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #10 on: January 17, 2017, 05:52:32 am »
@Taiidan

Although doktornotor is a bit callous, all his points are valid and constructive. Telling him to "fuck off" is uncalled for... :( He actually does know his ass from a hole in the ground.

Unless you're physically meeting the pfSense to get their PGP keys, the increase in security is minimal.
Please correct any obvious misinformation in my posts.
-Not a professional; an arrogant ignoramous.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: There is no real method of verifying download integrity - we need gpg keys
« Reply #11 on: January 17, 2017, 01:37:09 pm »
If your primary concern is that the hashes are on the same server as the files, then that isn't always the case: When you download a file from pfsense.org using the download selector it shows you the hash on that page, served from the web server and not the same server that is sending you the img.gz/iso.gz. That should be sufficient verification for the majority of cases.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!