Verification of downloads/updates

Matthew Hooker · Jul 25, 2016

Hi,

Can somebody reassure me that the in GUI updates are verified using something more reliable than a sha256 checksum downloaded over the same unencrypted link as the update.

Also what is a reliable way of getting the checksum for new installs. ?

I notice that the documentation is/can be served over SSL but the download page at

http://www.freenas.org/download-freenas-release/

redirects to http when https us used.

The checksum shown there at present,

2628ef070ee8d50c0e3c2944766f5e8418c51d5aaf6d1e6a4239942372d1c11f

currently only shows up in one place on a Google search and that is not @freenas.org

Matthew

m0nkey_ · Jul 25, 2016

You can download updates over SSL at https://download.freenas.org/9.10/latest/x64/

sha256 is also available for checksum,

Matthew Hooker · Jul 25, 2016

Ah, thanks...

Any idea how I change the default update location from 'http://update.freenas.org/FreeNAS' to the https version and why https is not the default ?

Matthew

m0nkey_ · Jul 25, 2016

You could always put in a feature request for it. Doesn't sound unreasonable to do. I've tested the URL and it does indeed appear to work over SSL.

Ericloewe · Jul 25, 2016

The updates themselves are signed, too, IIRC.

Important Announcement for the TrueNAS Community.

Verification of downloads/updates

Matthew Hooker

Cadet

m0nkey_

MVP

Matthew Hooker

Cadet

m0nkey_

MVP

Ericloewe

Server Wrangler

Similar threads