Now that 5.5 is officially released, a few notes about our signing policy. I helped devise the policy, but there are a few operational details regarding the who and the what and where I don't know (because I don't need to know). I'll do my best to answer questions, but if this email doesn't already answer them, you may be out of luck. :)
What should be signed and what shouldn't? In short, we will sign "artifacts" but not general communications. Artifacts is my word for anything that we put up on the ftp sites. Releases, packages, installer ISOs, patches, etc. (We're currently transitioning from ftp to http servers, which is likely to blur the lines a bit, but the web site stuff hosted on www.openbsd.org is not an artifact.) If something looks like an artifact, you should expect it to be signed. Note packages (including firmware) carry signatures internally and are automatically verified by pkg_add. Other files are automatically verified by the installer, so the three files you will need to verify by hand are 1) the installer itself, using SHA256.sig 2) any src.tar.gz files you download, using SHA256.sig and 3) any errata patches, which contain signature lines in the header. (One exception at this time: snapshots/ports.tar.gz isn't signed.) Emails will not be signed. As you may have noticed, the recent announcement email to misc@ had some lines stripped out of it (compare with the version that arrived via tech@). Email isn't a good channel for byte precise data transmission, which would lead to spurious signature verification failures. We'd like to avoid that. If, for some reason it is necessary to send out an announcement and prove it's authentic, we'll upload it to the appropriate place and email a link. As a particular example, we're emailing out errata patches. It is still best if you download the patch from the ftp server and verify it. Of course, this applies to 5.5 and forward. 5.4 patches won't be signed.
