From 7b3b635c776983ea415d990731056f9c6ea7b54d Mon Sep 17 00:00:00 2001 From: Shawn Webb Date: Fri, 27 Oct 2023 11:11:56 -0600 Subject: [PATCH] Document verifying build artifacts Signed-off-by: Shawn Webb --- Home.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/Home.md b/Home.md index 1fa001f..b57be04 100644 --- a/Home.md +++ b/Home.md @@ -40,6 +40,7 @@ Some of the branches, but not all, are listed below: 1. HEAD -> hardened/current/master 1. stable/13 -> hardened/13-stable/master +1. stable/14 -> hardened/14-stable/master # Features @@ -68,6 +69,38 @@ HardenedBSD has successfully implemented the following features: 1. Kernel malloc hardening 1. Shared memory hardening +# Verifying Build Artifacts + +The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so +that artifacts can be validated using only tools included in the base operating +system. + +First, download the SSH public key: + +``` +$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt +``` + +Then download the build artifact. For purposes of this documentation, the +compressed memstick installation image for HardenedBSD 14-STABLE will be used. + +``` +$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz +$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig +``` + +Next, generate an `allowed_signers` file which contains the SSH public key: + +``` +$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers +``` + +Now the signature file can be verified: + +``` +$ ssk-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz +``` + # Generic Kernel Options All of HardenedBSD's features that rely on kernel code require the