On 02/09/18 17:22, Philip Mundhenk wrote:
Thank you both. That worked. Ubuntu already had a package named signify so, 
with all 3 files in the $PWD, the correct command is:

signify-openbsd -C -p openbsd-62-base.pub -x SHA256.sig install62.iso

Possibly part of the problem is that the Ubuntu package signify-openbsd-keys does 
NOT put anything in /etc but puts the keys in /usr/share/signify-openbsd-keys/ 
& that it doesn't have anything later than 59. I may try downloading 59 just to 
see if it works more intuitively.

You should send a patch for signify(1) with the correct path in the examples to the maintainer.

Re "how can you be sure that your copy of /etc/signify/openbsd-62-base.pub is 
  AFAIK, that is the same issue as with a gpg public key, & the best answer, 
using only the internet, is to find copies in multiple places on different sites, 
and determine that they are the same. I think the only way to be good at paranoia 
is to practice it ;-), so I'm trying to do tht now. If nothing else, it's a good 
logic puzzle.

Because if we allow the Constitution to become a "literary fiction" future 
generations will rightfully view us with contempt as shallow, posing slackers, this is:

Sent with ProtonMail Secure Email.

-------- Original Message --------
  On February 9, 2018 5:50 PM, Kenneth Gober  wrote:

On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick m8il1i...@gmail.com wrote:
On Fri, 09 Feb 2018 16:11:01 -0500
but I can't for the life of me figure out how to cryptographically
verify the legitimacy of install62.iso with SHA256.sig.
I've never done it on linux however try
signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig

The next question of course will be, how can you be sure that your
copy of /etc/signify/openbsd-62-base.pub is legitimate?  Someone could
have tampered with that file as easily as they could have tampered
with SHA256.sig.

You can go to https://www.openbsd.org/62.html to get the 6.2 signify
keys, but how sure can you be that the site hasn't been compromised?
Or that the site you see in your browser is even the real one?  At
some point you need to convince yourself that you have a good key.
The keys have been published in various places, and the last several
CD releases (from 5.5 or so until CD distribution stopped) had the
signify keys actually printed on the CD labels.  Each release of
OpenBSD includes keys for the next release, so once you have a key you
trust you can use that to verify that version, then use the key in
that version to verify the next version, and so on.

This paper provides some good background about why signify rather than
https or gpg:



Reply via email to