Am 08.09.14 12:25, schrieb Giancarlo Razzolini:
On 07-09-2014 16:12, Elmar Stellnberger wrote:
If I purchase a set of OpenBSD CDs or if I download them via http or ftp then I
am in need of verifying my CDs/images.
If the NSA regularly intercepts laptop shipment so it may do with the shipment
of OpenBSD CDs.
Now; how to obtain an authentic copy of your public key?
Buy a CD set or download the install.iso from a mirror, and then
download the SHA256 from many places using different isp's/vpn/tor.
After that use signify to check things. This is your best bet at this
moment.
There is likely no better solution than buying an OpenBSD or Linux DVD with a
magazine at the next newspaper kiosk
as such a purchase will be 100% anonymous with regards to the actual copy of
the magazine you select: it will be
impossible to alter the magazine just for a specific user and altering all the
copies of a magazine would be discovered
quickly.
Yes, this would be a solution. But who would pay the magazine to put the
key there?
I had just bought such a magzine which shipped install55.iso as a whole.
If the keys would have been in the root directory of that .iso then: Hooray!
Sometimes they also ship the 'system rescue CD' as a whole; look at my
proposal here:
http://www.sysresccd.org/forums/viewtopic.php?f=6&t=5208
There may be other solutions of obtaining an authentic copy of your projects
public key like DNSSEC/DANE;
nonetheless the one proposed in here is for sure the most simple and straight
forward one:
DNSSEC has been discussed many times on this list, it will simply not be
implemented. And, with signify, if you can be 99.99% sure that you got a
release right, then the next ones you'll get 99.9999% right, because the
keys for the upcoming release are on the current one. And this will keep
going for the foreseeable future.
I welcome your provision of the signify tool. What I still do not know is
where on install55.iso I can find the pubkey and the sigfile for verifying
the iso by itself (test run) as well as further isos (many Linux distros use
the root directory for these files). You did not 'forget' to ship these
files,
did you? I just please you to put sth. like a README there to make new
or low-brow users know which tool to use i.e. signify and where to find
the pubkey and signing data and the session length. The session length
is the third important parameter to know when verifying already burnt
.isos because they tend to be zero padded at the tail (disregarding this
fact will usually make the verification fail).
Cheers,
By the way, do you have any good reason to distrust gpg?
Cheers,
Elmar
