Re: firmware.openbsd.org (SHA256)

2019-02-13 Thread Marc Espie 
On Wed, Feb 13, 2019 at 04:41:56PM +0100, Oleg Pahl wrote:
> Hi all,
> 
> I use 6.4 Release.
> I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
> This URL i found in man page FW_UPDATE(1)
> You can see that ( index.txt ) has one file more then as on server!

It doesn't matter.

Getting a consistent global SHA256 / SHA256.sig  for distributed sets
of packages or firmwares   is  difficult at best.

For precisely that reason, packages are individually signed.

And both pkg_add *and* fw_update will refuse to install anything that's
not signed *by default*.

You can actually check the signature yourself, it's directly in the gzip
header comment (so that you can't pass unsigned data through zlib for
decompressions).

RTFM signify(1)  -z mode

Re: firmware.openbsd.org (SHA256)

2019-02-13 Thread Stuart Henderson 
On 2019/02/13 16:41, Oleg Pahl wrote:
> Hi all,
> 
> I use 6.4 Release.
> I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
> This URL i found in man page FW_UPDATE(1)
> You can see that ( index.txt ) has one file more then as on server!
> 
> ---
> 
> From index.txt:
> 
> -rw-r--r--  1 0  0 1707 Oct 16 22:41:37 2018 SHA256
> 
> ---
> 
> 
> This file I need to check that NSA don't ...

The firmware packages are signed. fw_update downloads and verifies
signatures under restricted privileges, and (just like pkg_add with
binary packages) it doesn't proceed to decompress or parse the files
unless the signature is valid.

There is also a signed SHA256.sig file if you want to check signatures.
If you don't trust tgz files on a server, you can't trust an unsigned
SHA256 file either.

> Please explain me why this file is absent on -> firmware.openbsd.org

SHA256 actually is present, but is not included in index.html due to
how the index and SHA256 files are updated.

firmware.openbsd.org (SHA256)

2019-02-13 Thread Oleg Pahl 

Hi all,

I use 6.4 Release.
I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/
This URL i found in man page FW_UPDATE(1)
You can see that ( index.txt ) has one file more then as on server!

---

From index.txt:

-rw-r--r--  1 0  0 1707 Oct 16 22:41:37 2018 SHA256

---


This file I need to check that NSA don't ...

Please explain me why this file is absent on -> firmware.openbsd.org

BR,
Oleg Pahl

/
Index of 6.4/

drwxr-xr-x  2019-02-12 13:53../  

-r--r--r--  18572018-10-16 22:41SHA256.sig  

-r--r--r--  132269  2018-10-16 22:41acx-firmware-1.4p5.tgz  

-r--r--r--  175991  2018-10-16 22:41athn-firmware-1.1p4.tgz  

-r--r--r--  9464409 2018-10-16 22:41bwfm-firmware-20171125.tgz  

-r--r--r--  39394   2018-10-16 22:41bwi-firmware-1.4p4.tgz  

-r--r--r--  16762018-10-16 22:41index.txt  

-r--r--r--  1586910 2018-10-16 22:41intel-firmware-20180807p0v0.tgz  

-r--r--r--  250278  2018-10-16 22:41ipw-firmware-1.3p2.tgz  

-r--r--r--  272109  2018-10-16 22:41iwi-firmware-3.1p2.tgz  

-r--r--r--  4139154 2018-10-16 22:41iwm-firmware-0.20170105.tgz  

-r--r--r--  3233866 2018-10-16 22:41iwn-firmware-5.11p1.tgz  

-r--r--r--  140369  2018-10-16 22:41malo-firmware-1.4p4.tgz  

-r--r--r--  49935   2018-10-16 22:41otus-firmware-1.0p1.tgz  

-r--r--r--  162130  2018-10-16 22:41pgt-firmware-1.2p4.tgz  

-r--r--r--  5218724 2018-10-16 22:41radeondrm-firmware-20170119.tgz  

-r--r--r--  65551   2018-10-16 22:41rsu-firmware-1.2p1.tgz  

-r--r--r--  75328   2018-10-16 22:41rtwn-firmware-20180103.tgz  

-r--r--r--  73476   2018-10-16 22:41uath-firmware-2.0p1.tgz  

-r--r--r--  24371   2018-10-16 22:41upgt-firmware-1.1p4.tgz  

-r--r--r--  63587   2018-10-16 22:41urtwn-firmware-20180103.tgz  

-r--r--r--  68204   2018-10-16 22:41uvideo-firmware-1.2p2.tgz  

-r--r--r--  45960   2018-10-16 22:41vmm-firmware-1.11.0p0.tgz  

-r--r--r--  66182   2018-10-16 22:41wpi-firmware-3.2p1.tgz