[OmniOS-discuss] publisher signature-policy=require-signatures for new zones
Ben Summers
ben at fluffy.co.uk
Tue Feb 11 16:22:38 UTC 2014
Replying to my own email for the archives...
It appears you can't do this. pkg is hard coded to use "verify" as the signature-policy.
The workaround is to install the zone and before booting,
pfexec pkg -R /path/to/zone/root set-publisher --set-property signature-policy=require-signatures omnios
to set the property, then
pfexec pkg -R /path/to/zone/root fix
to check all the signatures and correct any errors.
Ben
On 8 Feb 2014, at 16:00, Ben Summers <ben at fluffy.co.uk> wrote:
>
> Hello,
>
> r151008 now includes signed packages, but the default signature-policy is verify, so it's still vulnerable to MITM if the attacker simply removes the signatures from the manifests.
>
> I can run
>
> pkg set-publisher --set-property signature-policy=require-signatures omnios
>
> immediately after install from the iso to make sure any updates in the global zone are properly checked.
>
> However, when I install a zone, the zone's signature-policy is the default of verify. pkg downloads files from the IPS server, so anything in the zone's image is vulnerable.
>
> Is it possible to specify signature-policy=require-signatures for new zones in the initial configuration?
>
> Thanks,
>
> Ben
>
>
>
More information about the OmniOS-discuss
mailing list