Thank you both. That worked. Ubuntu already had a package named signify so, 
with all 3 files in the $PWD, the correct command is:

signify-openbsd -C -p -x SHA256.sig install62.iso

Possibly part of the problem is that the Ubuntu package signify-openbsd-keys 
does NOT put anything in /etc but puts the keys in 
/usr/share/signify-openbsd-keys/ & that it doesn't have anything later than 59. 
I may try downloading 59 just to see if it works more intuitively.

Re "how can you be sure that your copy of /etc/signify/ is 
 AFAIK, that is the same issue as with a gpg public key, & the best answer, 
using only the internet, is to find copies in multiple places on different 
sites, and determine that they are the same. I think the only way to be good at 
paranoia is to practice it ;-), so I'm trying to do tht now. If nothing else, 
it's a good logic puzzle.

Because if we allow the Constitution to become a "literary fiction" future 
generations will rightfully view us with contempt as shallow, posing slackers, 
this is:

Sent with ProtonMail Secure Email.

-------- Original Message --------
 On February 9, 2018 5:50 PM, Kenneth Gober  wrote:

>On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick wrote:
>>On Fri, 09 Feb 2018 16:11:01 -0500
>>>but I can't for the life of me figure out how to cryptographically
>>> verify the legitimacy of install62.iso with SHA256.sig.
>>>I've never done it on linux however try
>>signify -C -p /etc/signify/ -x SHA256.sig
> The next question of course will be, how can you be sure that your
> copy of /etc/signify/ is legitimate?  Someone could
> have tampered with that file as easily as they could have tampered
> with SHA256.sig.
> You can go to to get the 6.2 signify
> keys, but how sure can you be that the site hasn't been compromised?
> Or that the site you see in your browser is even the real one?  At
> some point you need to convince yourself that you have a good key.
> The keys have been published in various places, and the last several
> CD releases (from 5.5 or so until CD distribution stopped) had the
> signify keys actually printed on the CD labels.  Each release of
> OpenBSD includes keys for the next release, so once you have a key you
> trust you can use that to verify that version, then use the key in
> that version to verify the next version, and so on.
> This paper provides some good background about why signify rather than
> https or gpg:
> -ken

Reply via email to