On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick <m8il1i...@gmail.com> wrote:
> On Fri, 09 Feb 2018 16:11:01 -0500
>> but I can't for the life of me figure out how to cryptographically
>> verify the legitimacy of install62.iso with SHA256.sig.
> I've never done it on linux however try
> signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig
> https://man.openbsd.org/signify

The next question of course will be, how can you be sure that your
copy of /etc/signify/openbsd-62-base.pub is legitimate?  Someone could
have tampered with that file as easily as they could have tampered
with SHA256.sig.

You can go to https://www.openbsd.org/62.html to get the 6.2 signify
keys, but how sure can you be that the site hasn't been compromised?
Or that the site you see in your browser is even the real one?  At
some point you need to convince yourself that you have a good key.
The keys have been published in various places, and the last several
CD releases (from 5.5 or so until CD distribution stopped) had the
signify keys actually printed on the CD labels.  Each release of
OpenBSD includes keys for the next release, so once you have a key you
trust you can use that to verify that version, then use the key in
that version to verify the next version, and so on.

This paper provides some good background about why signify rather than
https or gpg:



Reply via email to