On Wed, Feb 21, 2018 at 10:10:30AM +0100, Jean-Michel Pouré wrote: > > I know this is a little bit farfetched, pardon my ignorence, but > OpenBSD seeems vulnerable on first installation. In case of DNS > poisoning, what can stop a virus from forwarding the installer to a > false SHA256.sig and false repository? My guess would be to use > DNSSEC and a local copy of an OpenBSD repository to avoid such issue.
the installer has enough material to check the cryptographic signature on SHA256.sig. If the downloaded file hasn't a valid signature (according to the public key the installer have) it will complains and not use it. > Also I still don't understand the logic of not embedding SHA256.sig in > the ISO. A SHA256.sig exists, why NOT use it? Because the installer has to trust the public key on the ISO. If someone is able to provide a fake ISO, he will also provide fake SHA256.sig and/or fake public key on the ISO. So there is no gain to provide such material as people will think "it is safe" whereas it is not. Thanks. -- Sebastien Marie
