Document verifying build artifacts

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
2024-12-04 15:13:58 +01:00 · 2023-10-27 11:11:56 -06:00 · 2023-10-27 11:11:56 -06:00 · 7b3b635c77
commit 7b3b635c77
parent 596cf2abe1
1 changed files with 33 additions and 0 deletions
--- a/Home.md
+++ b/Home.md
@ -40,6 +40,7 @@ Some of the branches, but not all, are listed below:

 1. HEAD -> hardened/current/master
 1. stable/13 -> hardened/13-stable/master
+1. stable/14 -> hardened/14-stable/master

 # Features

@ -68,6 +69,38 @@ HardenedBSD has successfully implemented the following features:
 1. Kernel malloc hardening
 1. Shared memory hardening

+# Verifying Build Artifacts
+
+The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so
+that artifacts can be validated using only tools included in the base operating
+system.
+
+First, download the SSH public key:
+
+```
+$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt
+```
+
+Then download the build artifact. For purposes of this documentation, the
+compressed memstick installation image for HardenedBSD 14-STABLE will be used.
+
+```
+$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
+$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig
+```
+
+Next, generate an `allowed_signers` file which contains the SSH public key:
+
+```
+$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers
+```
+
+Now the signature file can be verified:
+
+```
+$ ssk-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz
+```
+
 # Generic Kernel Options

 All of HardenedBSD's features that rely on kernel code require the