The firmwares are packages, and are signed with the /etc/signify/openbsd-XX-fs.pub key.
There is no risk. Mogens Jensen <mogens-jen...@protonmail.com> wrote: > I was just trying out the fw_update program on OpenBSD 6.5, deleting/ > installing all the firmware and was wondering if fw_update will verify > the files before installing? > > There is a SHA256.sig in the remote firmware directory, but no > indication from fw_update, even with verbose output, if this is > actually used. > > After looking at the source and manpage of fw_update, it was still not > clear to me if files are checked against SHA256.sig. For syspatch, it's > easy to tell from both source, manpage and program output. > > Normally I would just assume that fetched files are verified, but maybe > in the case with fw_update, the rationale is that firmware files are > binary blobs so we can't know if they are malicious anyway, therefore > no reason to bother with verification. > > As firmware is fetched over plain HTTP, I guess that in case of no > verification it would in theory make the system vulnerable to a MITM > attack, but I'm no expert. > > > Regards, > Mogens Jensen >