On 12/08/14 18:27, Long Wind wrote: > I raise the question again. > During installation, I am asked: > > Directory does not contain SHA256.sig. Continue without verification? [no] > > I have to enter yes to let it proceed: > > Installing bsd > Installing bsd.rd > Installing base55.tgz > ... > > I have downloaded CD image for i386 and burned it and booted it > I think I shall not encounter such a question > Why SHA256.sig isn't on CD? > > Thanks to all those who reply (replied)!! >
If someone was able to modify the ISO to tamper with the sets, they could also alter the keys included, and change the checksums and .sig file. In this case, you would be told everything was fine and it would continue installing. That is why you should verify the install ISO itself before booting/installing.
