The firmwares are packages, and are signed with the
/etc/signify/ key.

There is no risk.

Mogens Jensen <> wrote:

> I was just trying out the fw_update program on OpenBSD 6.5, deleting/
> installing all the firmware and was wondering if fw_update will verify
> the files before installing?
> There is a SHA256.sig in the remote firmware directory, but no
> indication from fw_update, even with verbose output, if this is
> actually used.
> After looking at the source and manpage of fw_update, it was still not
> clear to me if files are checked against SHA256.sig. For syspatch, it's
> easy to tell from both source, manpage and program output.
> Normally I would just assume that fetched files are verified, but maybe
> in the case with fw_update, the rationale is that firmware files are
> binary blobs so we can't know if they are malicious anyway, therefore
> no reason to bother with verification.
> As firmware is fetched over plain HTTP, I guess that in case of no
> verification it would in theory make the system vulnerable to a MITM
> attack, but I'm no expert.
> Regards,
> Mogens Jensen

Reply via email to