mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-04 23:22:22 +01:00
Document verifying build artifacts
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
parent
596cf2abe1
commit
7b3b635c77
33
Home.md
33
Home.md
@ -40,6 +40,7 @@ Some of the branches, but not all, are listed below:
|
||||
|
||||
1. HEAD -> hardened/current/master
|
||||
1. stable/13 -> hardened/13-stable/master
|
||||
1. stable/14 -> hardened/14-stable/master
|
||||
|
||||
# Features
|
||||
|
||||
@ -68,6 +69,38 @@ HardenedBSD has successfully implemented the following features:
|
||||
1. Kernel malloc hardening
|
||||
1. Shared memory hardening
|
||||
|
||||
# Verifying Build Artifacts
|
||||
|
||||
The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so
|
||||
that artifacts can be validated using only tools included in the base operating
|
||||
system.
|
||||
|
||||
First, download the SSH public key:
|
||||
|
||||
```
|
||||
$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt
|
||||
```
|
||||
|
||||
Then download the build artifact. For purposes of this documentation, the
|
||||
compressed memstick installation image for HardenedBSD 14-STABLE will be used.
|
||||
|
||||
```
|
||||
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
|
||||
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig
|
||||
```
|
||||
|
||||
Next, generate an `allowed_signers` file which contains the SSH public key:
|
||||
|
||||
```
|
||||
$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers
|
||||
```
|
||||
|
||||
Now the signature file can be verified:
|
||||
|
||||
```
|
||||
$ ssk-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz
|
||||
```
|
||||
|
||||
# Generic Kernel Options
|
||||
|
||||
All of HardenedBSD's features that rely on kernel code require the
|
||||
|
Loading…
Reference in New Issue
Block a user