> The official CD set contains the signify keys for that release and the > next one. Once you have a known good copy of one set, you can always obtain > future ones securely. > > You don't even need to use the CD set to install, just as a way of obtaining > the signify keys with a high degree of confidence.
This is the real thing bothering me. I don't even have a CD drive available, and I was about to ask if it would be possible to get the signify keys via paper mail in exchange for a donation. But both paper and CDs can be intercepted and tampered with (with some effort). > I currently just assume they are correct because it'd be enormously > complex to spoof the entire OpenBSD distribution, but I souldn't have > to rely on "security through effort involved". Exactly, and this is a problem with the CDs too. There's currently no way to securely bootstrap the chain of trust. HTTPS is a way to do that. Yes, we would have to rely on third parties (CAs). It can be optional (so that a text browser from an ancient unsupported release can still access plain HTTP version fine). It can be just a single page like keys.openbsd.org so that there are few extra computing resources used. It doesn't have to be Let's Encrypt - heck, I'm willing to go to RapidSSL or whoever and pay for it myself if someone can give me a CSR and assist with domain validation. K.
