On Sun, Jun 15, 2014 at 05:09:20PM -0400, Ted Unangst wrote:
> On Sun, Jun 15, 2014 at 14:12, Aaron Gomez wrote:
> > I looked at the signify command but I can't figure out how to check all
> > the files and then create the SHA256.sig.
> >
> > I tried "signify -S -s myprivatekey.sec -m SHA256 -x SHA256.sig" but
> > that just created a file SHA256.sig with the following contents:
> >
> > untrusted comment: signature from signify secret key
> > RWQ/YLxjYycyl9yO0Qz8OyKSG9NnreWqIqIvMrJ64hJ2XqsXcElZB8BW8h/tGfvR44cRyAlIk10pUntzg9R0Z1p5+e+1tHFzkAs=
>
> You need the -e flag to embed the message into the signature.
>
> > I then ran sha256 against all of the files and copied the output to the
> > SHA256.sig file, created a new install cd and tried again. This time it
> > failed telling me that I used the incorrect key.
>
> The main problem is that the CD will attempt to verify against a key
> named openbsd-55-base.pub, which we ship. That's not going to match
> the private key you generated and are using.
>
> > What do I need to do to make it so the installer can verify my newly
> > created release files?
>
> The best approach, but it's more work, would be to change install.sh
> to look for a key like aaron-55-base.pub and add that to the ramdisk.
> The shortcut would be to replace the openbsd key, but that will only
> cause confusion later, so I'd try not to.
>
> That said, you probably don't need to sign releases you're building
> for yourself, unless they are travelling over untrusted links. We sign
> releases because they go from OpenBSD servers to you over the scary
> internet. If you control distribution, that's less scary.
Wouldn't something like below make life easier?
Index: install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.775
diff -u -p -r1.775 install.sub
--- install.sub 9 Jun 2014 18:05:55 -0000 1.775
+++ install.sub 16 Jun 2014 19:55:49 -0000
@@ -86,6 +86,7 @@ shift $((OPTIND-1))
# MDCDDEVS - '/^cd[0-9][0-9]* /s/ .*//p' assumed if not provided
# MDMTDEVS - '/^[cms]t[0-9][0-9]* /s/ .*//p'
# MDXAPERTURE - set machdep.allowaperture=value in sysctl.conf
+# MDSIGNKEY - path to signify public key
# NCPU - the number of cpus for mp capable arches
. install.md
@@ -1158,6 +1159,7 @@ install_files() {
local _src=$1 _files=$2 _f _sets _get_sets _n _col=$COLUMNS \
_tmpfs _tmpsrc _cfile _fsrc _unver _t _issue _srclocal
+ export
SIGNKEY=${SIGNKEY:-${MDSIGNKEY:-/etc/signify/openbsd-${VERSION}-base.pub}}
# Initialize _sets to the list of sets found in _src, and initialize
# _get_sets to the intersection of _sets and DEFAULTSETS.
#
@@ -1244,7 +1246,7 @@ install_files() {
_issue="Cannot fetch SHA256.sig" && break
# Verify signature file with public keys
- ! signify -Vep /etc/signify/openbsd-${VERSION}-base.pub \
+ ! signify -Vep ${SIGNKEY} \
-x "$_cfile.sig" -m "$_cfile" &&
_issue="Signature check of SHA256.sig failed" && break
