How to trust the installation image?

[Kringel]

I consider to install FreeBSD. The most important feature for me is security. I want a system that is built only from trusted sources.

Now I have the following problem: How do I check if the downloaded image is an original one from the FreeBSD-maintainers?

I can not find a reasonably trustworthy way to get the public keys of the developers. There is http://www.freebsd.org/doc/handbook/pgpkeys.html. But it is not https and could easily be faked by the same people that may provide me with a trojan image.

Sure, this is very paranoid (and I would be surprised if I would get a malicious version). But I would like to solve this problem. It seems that FreeBSD is used primarily as server system. So I am sure there is a way for all the careful admins to check the integrity of their installation sources. I just can't find it.

 

[wblock@]

Compare the md5(1) or sha256(1) checksums to those on the FTP site. The main FTP site, if you're concerned about the trustworthiness of a mirror.

 

[Kringel]

Thats the problem: The checksums have the same weakness as the link to the public keys. Both come from sources that are as trustworthy as the ftp sites with the isos themself. A http or ftp source is relativly easy to manipulate. So i was hoping for an official https site or something where i can get the keys or the checksums. This way it would be much more difficult to set up a manipulated source and it would make me a bit more happy.

At the moment I am using a linux distribution that relies on unmanipulated mirrors that are accessed via ftp or http. I was hoping for a more solid solution. But when i get checksums or keys via ftp or http I end up with the same level of security. I was expecting that this would be unaccaptable for admins that are responsible for the security of some important servers that must be as secure as they can get. Am I really more paranoid than them?

Sure, it is very unlikely to get malicious software when doing a ftp download from a main mirror. But there must be a better way to check the source of a system i want to trust. (Yeah... i know that my potentially already hacked running system could fake any checksum or gpg-output, but lets pretend I would have access to a super safe system where i can verify the media )

 

[SNK]

I do not have an answer to your question. However, you might be interested in a related discussion that started with http://docs.freebsd.org/cgi/getmsg.cgi?fetch=258216+0+archive/2009/freebsd-questions/20090104.freebsd-questions.

 

[Kringel]

Thanks! This discussion is exactly about what I try to solve. Especially this post hits the nail on the head: Somehow I need a trusted source for a public key (or its fingerprint) that is used to sign the installation media. I already tried to find something in Amazons online "preview" of the book "Absolute FreeBSD", but without success. Any suggestions for other sources where i can look for?