firmware.openbsd.org (SHA256)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

firmware.openbsd.org (SHA256)

Dr. COD
Hi all,

I use 6.4 Release.
I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
This URL i found in man page FW_UPDATE(1)
You can see that ( index.txt ) has one file more then as on server!

---

 From index.txt:

-rw-r--r--  1 0  0     1707 Oct 16 22:41:37 2018 SHA256

---


This file I need to check that NSA don't ...

Please explain me why this file is absent on -> firmware.openbsd.org

BR,
Oleg Pahl

/
Index of 6.4/

drwxr-xr-x 2019-02-12 13:53 ../  <http://firmware.openbsd.org/firmware/>
-r--r--r-- 1857 2018-10-16 22:41 SHA256.sig  <http://firmware.openbsd.org/firmware/6.4/SHA256.sig>
-r--r--r-- 132269 2018-10-16 22:41 acx-firmware-1.4p5.tgz  <http://firmware.openbsd.org/firmware/6.4/acx-firmware-1.4p5.tgz>
-r--r--r-- 175991 2018-10-16 22:41 athn-firmware-1.1p4.tgz  <http://firmware.openbsd.org/firmware/6.4/athn-firmware-1.1p4.tgz>
-r--r--r-- 9464409 2018-10-16 22:41 bwfm-firmware-20171125.tgz  <http://firmware.openbsd.org/firmware/6.4/bwfm-firmware-20171125.tgz>
-r--r--r-- 39394 2018-10-16 22:41 bwi-firmware-1.4p4.tgz  <http://firmware.openbsd.org/firmware/6.4/bwi-firmware-1.4p4.tgz>
-r--r--r-- 1676 2018-10-16 22:41 index.txt  <http://firmware.openbsd.org/firmware/6.4/index.txt>
-r--r--r-- 1586910 2018-10-16 22:41 intel-firmware-20180807p0v0.tgz  <http://firmware.openbsd.org/firmware/6.4/intel-firmware-20180807p0v0.tgz>
-r--r--r-- 250278 2018-10-16 22:41 ipw-firmware-1.3p2.tgz  <http://firmware.openbsd.org/firmware/6.4/ipw-firmware-1.3p2.tgz>
-r--r--r-- 272109 2018-10-16 22:41 iwi-firmware-3.1p2.tgz  <http://firmware.openbsd.org/firmware/6.4/iwi-firmware-3.1p2.tgz>
-r--r--r-- 4139154 2018-10-16 22:41 iwm-firmware-0.20170105.tgz  <http://firmware.openbsd.org/firmware/6.4/iwm-firmware-0.20170105.tgz>
-r--r--r-- 3233866 2018-10-16 22:41 iwn-firmware-5.11p1.tgz  <http://firmware.openbsd.org/firmware/6.4/iwn-firmware-5.11p1.tgz>
-r--r--r-- 140369 2018-10-16 22:41 malo-firmware-1.4p4.tgz  <http://firmware.openbsd.org/firmware/6.4/malo-firmware-1.4p4.tgz>
-r--r--r-- 49935 2018-10-16 22:41 otus-firmware-1.0p1.tgz  <http://firmware.openbsd.org/firmware/6.4/otus-firmware-1.0p1.tgz>
-r--r--r-- 162130 2018-10-16 22:41 pgt-firmware-1.2p4.tgz  <http://firmware.openbsd.org/firmware/6.4/pgt-firmware-1.2p4.tgz>
-r--r--r-- 5218724 2018-10-16 22:41 radeondrm-firmware-20170119.tgz  <http://firmware.openbsd.org/firmware/6.4/radeondrm-firmware-20170119.tgz>
-r--r--r-- 65551 2018-10-16 22:41 rsu-firmware-1.2p1.tgz  <http://firmware.openbsd.org/firmware/6.4/rsu-firmware-1.2p1.tgz>
-r--r--r-- 75328 2018-10-16 22:41 rtwn-firmware-20180103.tgz  <http://firmware.openbsd.org/firmware/6.4/rtwn-firmware-20180103.tgz>
-r--r--r-- 73476 2018-10-16 22:41 uath-firmware-2.0p1.tgz  <http://firmware.openbsd.org/firmware/6.4/uath-firmware-2.0p1.tgz>
-r--r--r-- 24371 2018-10-16 22:41 upgt-firmware-1.1p4.tgz  <http://firmware.openbsd.org/firmware/6.4/upgt-firmware-1.1p4.tgz>
-r--r--r-- 63587 2018-10-16 22:41 urtwn-firmware-20180103.tgz  <http://firmware.openbsd.org/firmware/6.4/urtwn-firmware-20180103.tgz>
-r--r--r-- 68204 2018-10-16 22:41 uvideo-firmware-1.2p2.tgz  <http://firmware.openbsd.org/firmware/6.4/uvideo-firmware-1.2p2.tgz>
-r--r--r-- 45960 2018-10-16 22:41 vmm-firmware-1.11.0p0.tgz  <http://firmware.openbsd.org/firmware/6.4/vmm-firmware-1.11.0p0.tgz>
-r--r--r-- 66182 2018-10-16 22:41 wpi-firmware-3.2p1.tgz  <http://firmware.openbsd.org/firmware/6.4/wpi-firmware-3.2p1.tgz>


Reply | Threaded
Open this post in threaded view
|

Re: firmware.openbsd.org (SHA256)

Stuart Henderson
On 2019/02/13 16:41, Oleg Pahl wrote:

> Hi all,
>
> I use 6.4 Release.
> I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
> This URL i found in man page FW_UPDATE(1)
> You can see that ( index.txt ) has one file more then as on server!
>
> ---
>
> From index.txt:
>
> -rw-r--r--  1 0  0     1707 Oct 16 22:41:37 2018 SHA256
>
> ---
>
>
> This file I need to check that NSA don't ...

The firmware packages are signed. fw_update downloads and verifies
signatures under restricted privileges, and (just like pkg_add with
binary packages) it doesn't proceed to decompress or parse the files
unless the signature is valid.

There is also a signed SHA256.sig file if you want to check signatures.
If you don't trust tgz files on a server, you can't trust an unsigned
SHA256 file either.

> Please explain me why this file is absent on -> firmware.openbsd.org

SHA256 actually is present, but is not included in index.html due to
how the index and SHA256 files are updated.

Reply | Threaded
Open this post in threaded view
|

Re: firmware.openbsd.org (SHA256)

Marc Espie-2
In reply to this post by Dr. COD
On Wed, Feb 13, 2019 at 04:41:56PM +0100, Oleg Pahl wrote:
> Hi all,
>
> I use 6.4 Release.
> I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
> This URL i found in man page FW_UPDATE(1)
> You can see that ( index.txt ) has one file more then as on server!

It doesn't matter.

Getting a consistent global SHA256 / SHA256.sig  for distributed sets
of packages or firmwares   is  difficult at best.

For precisely that reason, packages are individually signed.

And both pkg_add *and* fw_update will refuse to install anything that's
not signed *by default*.

You can actually check the signature yourself, it's directly in the gzip
header comment (so that you can't pass unsigned data through zlib for
decompressions).

RTFM signify(1)  -z mode