On 2019/02/13 16:41, Oleg Pahl wrote: > Hi all, > > I use 6.4 Release. > I install fm on my laptop from http://firmware.openbsd.org/firmware/6.4/ > This URL i found in man page FW_UPDATE(1) > You can see that ( index.txt ) has one file more then as on server! > > --- > > From index.txt: > > -rw-r--r-- 1 0 0 1707 Oct 16 22:41:37 2018 SHA256 > > --- > > > This file I need to check that NSA don't ...
The firmware packages are signed. fw_update downloads and verifies signatures under restricted privileges, and (just like pkg_add with binary packages) it doesn't proceed to decompress or parse the files unless the signature is valid. There is also a signed SHA256.sig file if you want to check signatures. If you don't trust tgz files on a server, you can't trust an unsigned SHA256 file either. > Please explain me why this file is absent on -> firmware.openbsd.org SHA256 actually is present, but is not included in index.html due to how the index and SHA256 files are updated.