Hi. NetBSD really caught my attention these days. As I understand, it's a reasonably well organized system. Except for one thing. The problem: ============ How do I verify NetBSD images before writing them to some device? After searching NetBSD mirrors, I noticed all files have MD5 and SHA512 checksum lists, as expected, so we're able to make sure there's no accidental integrity violation. Yet, I could find no signature files, so if images are tampered with somehow and without notice for some time, then there'd be no way one could know, because in this case checksum files would for sure be changed as well. This could happen in any mirror, at any time, so there's a lot of attack surface here. Many systems (even those that don't take security as a top priority) would at least have theirs images signed (mostly using GPG). I find it hard to believe this is a matter not even considered in NetBSD, and if there's already some better mitigation for this that I'm not aware of, then I apologize. But then it's pretty well hidden. What have I noticed so far: =========================== Well, after reading through some past discussions of this list, I noticed some people proposed the use of TLS, with the help of CA certs from Mozilla. While TLS is great for protection in transit, I believe it'd not really address the problem here, because we'd still lack a protection at rest. Each new mirror is a new vector, and so I believe the checksum file for each artifact (images, distribution sets and even packages) should be signed and the signatures distributed together (as many other similar projects do). I wonder if the decision of not doing so does have some justification. As I said, I find it really hard to believe that a well estabilished and respected project such as NetBSD doesn't have anything like that, for so long. What could be done: =================== Personally, I like OpenBSD approach on this, with Signify [1]: [1] https://www.openbsd.org/papers/bsdcan-signify.html Maybe that's not viable for NetBSD for some reason. If so, that's all right, but then some other option must come out to prevent from supply chain attacks. Maybe OpenPGP might make more sense here, as NetPGP is already a mature tool, so having a default keyring inside the image would be enough to verify distribution sets and the next images. Please do not take this message as some criticism of NetBSD. As I said, I think it's great, but this signing matter really got me puzzled. -- Best regards, @hrcerq
Attachment:
pgpvloCq5Zay3.pgp
Description: PGP signature