On 07-09-2014 16:12, Elmar Stellnberger wrote: > If I purchase a set of OpenBSD CDs or if I download them via http or ftp then I am in need of verifying my CDs/images. > If the NSA regularly intercepts laptop shipment so it may do with the shipment of OpenBSD CDs. > Now; how to obtain an authentic copy of your public key? Buy a CD set or download the install.iso from a mirror, and then download the SHA256 from many places using different isp's/vpn/tor. After that use signify to check things. This is your best bet at this moment. > There is likely no better solution than buying an OpenBSD or Linux DVD with a magazine at the next newspaper kiosk > as such a purchase will be 100% anonymous with regards to the actual copy of the magazine you select: it will be > impossible to alter the magazine just for a specific user and altering all the copies of a magazine would be discovered > quickly. Yes, this would be a solution. But who would pay the magazine to put the key there? > There may be other solutions of obtaining an authentic copy of your projects public key like DNSSEC/DANE; > nonetheless the one proposed in here is for sure the most simple and straight forward one: DNSSEC has been discussed many times on this list, it will simply not be implemented. And, with signify, if you can be 99.99% sure that you got a release right, then the next ones you'll get 99.9999% right, because the keys for the upcoming release are on the current one. And this will keep going for the foreseeable future.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
