On Tue, 20 Feb 2018 19:23:05 +0200
> Isn't the same true when I download file sets from any mirror? After > all I download SHA256.sig abd file sets from mirror, how can I trust > it? I am not a developer but my take is that they do not want to tell you it is verified if you have been given a CD etc.. Anything could have been booted and tell you it is verified. You can verify the .iso manually and you can use e.g. isomaster to add sha256.sig to the CD in which case it will verify them. I have used this in the past as a scratched rw seemingly fails sooner on verify than reading and also won't try to upgrade. If you have already manually verified bsd.rd and booted from that as I and I guess most developers do most often when upgrading then you do want it to tell you the http retrieval verified. I guess it was the simplest way considering installer size constraints/battles to avoid misinforming the user.