Re: firmware.openbsd.org (SHA256)
On Wed, Feb 13, 2019 at 04:41:56PM +0100, Oleg Pahl wrote: > Hi all, > > I use 6.4 Release. > I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/ > This URL i found in man page FW_UPDATE(1) > You can see that ( index.txt ) has one file more then as on server! It doesn't matter. Getting a consistent global SHA256 / SHA256.sig for distributed sets of packages or firmwares is difficult at best. For precisely that reason, packages are individually signed. And both pkg_add *and* fw_update will refuse to install anything that's not signed *by default*. You can actually check the signature yourself, it's directly in the gzip header comment (so that you can't pass unsigned data through zlib for decompressions). RTFM signify(1) -z mode
Re: firmware.openbsd.org (SHA256)
On 2019/02/13 16:41, Oleg Pahl wrote: > Hi all, > > I use 6.4 Release. > I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/ > This URL i found in man page FW_UPDATE(1) > You can see that ( index.txt ) has one file more then as on server! > > --- > > From index.txt: > > -rw-r--r-- 1 0 0 1707 Oct 16 22:41:37 2018 SHA256 > > --- > > > This file I need to check that NSA don't ... The firmware packages are signed. fw_update downloads and verifies signatures under restricted privileges, and (just like pkg_add with binary packages) it doesn't proceed to decompress or parse the files unless the signature is valid. There is also a signed SHA256.sig file if you want to check signatures. If you don't trust tgz files on a server, you can't trust an unsigned SHA256 file either. > Please explain me why this file is absent on -> firmware.openbsd.org SHA256 actually is present, but is not included in index.html due to how the index and SHA256 files are updated.
