[asterisk-dev] Authenticated downloads of external stuff?

Tue Feb 13 07:33:34 CST 2018

On Tue, Feb 13, 2018 at 2:31 AM, Alexander Traud <pabstraud at compuserve.com>
wrote:

> > downloads.asterisk.org is an https site, so certificate auth and all
> > that should be verifiable.
>
> Currently, Asterisk retrieves its external stuff not via HTTPs but HTTP.
>
> One approach would be to change all links to HTTPs within the Asterisk
> source. However, that is problematic for example in FreeBSD which comes
> without trust anchors. Furthermore, that approach does not use
> certificate pinning. Therefore, one alternative is to move the hashes
> into the Asterisk tarball. This gives at least the same security as
> certificate pining but does not increase the burden in the local
> configuration.
>
> Actually, this gives bullet proof downloads. The user only has to
> double-check the signature of the initial download, the download of the
> Asterisk tarball. Everything else chains up to that. The code is quite
> the same, just the location of the hashes move.
>
>
>
Let me think about this a bit.   The sounds files and pjproject I think
would be fairly
straightforward because, as you've said, the versions are known when we
build the
Asterisk tarball.  The external modules might be problematic since their
versions
are only tied to major Asterisk releases.

>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>

-- 
George Joseph
Digium, Inc. | Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20180213/e1e6e846/attachment.html>