On Sun, Jun 15, 2014 at 14:12, Aaron Gomez wrote: > I looked at the signify command but I can't figure out how to check all > the files and then create the SHA256.sig. > > I tried "signify -S -s myprivatekey.sec -m SHA256 -x SHA256.sig" but > that just created a file SHA256.sig with the following contents: > > untrusted comment: signature from signify secret key > RWQ/YLxjYycyl9yO0Qz8OyKSG9NnreWqIqIvMrJ64hJ2XqsXcElZB8BW8h/tGfvR44cRyAlIk10pUntzg9R0Z1p5+e+1tHFzkAs=
You need the -e flag to embed the message into the signature. > I then ran sha256 against all of the files and copied the output to the > SHA256.sig file, created a new install cd and tried again. This time it > failed telling me that I used the incorrect key. The main problem is that the CD will attempt to verify against a key named openbsd-55-base.pub, which we ship. That's not going to match the private key you generated and are using. > What do I need to do to make it so the installer can verify my newly > created release files? The best approach, but it's more work, would be to change install.sh to look for a key like aaron-55-base.pub and add that to the ramdisk. The shortcut would be to replace the openbsd key, but that will only cause confusion later, so I'd try not to. That said, you probably don't need to sign releases you're building for yourself, unless they are travelling over untrusted links. We sign releases because they go from OpenBSD servers to you over the scary internet. If you control distribution, that's less scary.
