On Sun, Jun 15, 2014 at 05:09:20PM -0400, Ted Unangst wrote: > On Sun, Jun 15, 2014 at 14:12, Aaron Gomez wrote: > > I looked at the signify command but I can't figure out how to check all > > the files and then create the SHA256.sig. > > > > I tried "signify -S -s myprivatekey.sec -m SHA256 -x SHA256.sig" but > > that just created a file SHA256.sig with the following contents: > > > > untrusted comment: signature from signify secret key > > RWQ/YLxjYycyl9yO0Qz8OyKSG9NnreWqIqIvMrJ64hJ2XqsXcElZB8BW8h/tGfvR44cRyAlIk10pUntzg9R0Z1p5+e+1tHFzkAs= > > You need the -e flag to embed the message into the signature. > > > I then ran sha256 against all of the files and copied the output to the > > SHA256.sig file, created a new install cd and tried again. This time it > > failed telling me that I used the incorrect key. > > The main problem is that the CD will attempt to verify against a key > named openbsd-55-base.pub, which we ship. That's not going to match > the private key you generated and are using. > > > What do I need to do to make it so the installer can verify my newly > > created release files? > > The best approach, but it's more work, would be to change install.sh > to look for a key like aaron-55-base.pub and add that to the ramdisk. > The shortcut would be to replace the openbsd key, but that will only > cause confusion later, so I'd try not to. > > That said, you probably don't need to sign releases you're building > for yourself, unless they are travelling over untrusted links. We sign > releases because they go from OpenBSD servers to you over the scary > internet. If you control distribution, that's less scary.
Wouldn't something like below make life easier? Index: install.sub =================================================================== RCS file: /cvs/src/distrib/miniroot/install.sub,v retrieving revision 1.775 diff -u -p -r1.775 install.sub --- install.sub 9 Jun 2014 18:05:55 -0000 1.775 +++ install.sub 16 Jun 2014 19:55:49 -0000 @@ -86,6 +86,7 @@ shift $((OPTIND-1)) # MDCDDEVS - '/^cd[0-9][0-9]* /s/ .*//p' assumed if not provided # MDMTDEVS - '/^[cms]t[0-9][0-9]* /s/ .*//p' # MDXAPERTURE - set machdep.allowaperture=value in sysctl.conf +# MDSIGNKEY - path to signify public key # NCPU - the number of cpus for mp capable arches . install.md @@ -1158,6 +1159,7 @@ install_files() { local _src=$1 _files=$2 _f _sets _get_sets _n _col=$COLUMNS \ _tmpfs _tmpsrc _cfile _fsrc _unver _t _issue _srclocal + export SIGNKEY=${SIGNKEY:-${MDSIGNKEY:-/etc/signify/openbsd-${VERSION}-base.pub}} # Initialize _sets to the list of sets found in _src, and initialize # _get_sets to the intersection of _sets and DEFAULTSETS. # @@ -1244,7 +1246,7 @@ install_files() { _issue="Cannot fetch SHA256.sig" && break # Verify signature file with public keys - ! signify -Vep /etc/signify/openbsd-${VERSION}-base.pub \ + ! signify -Vep ${SIGNKEY} \ -x "$_cfile.sig" -m "$_cfile" && _issue="Signature check of SHA256.sig failed" && break