Hi, I'm writing this - in order to provide some feedback about my user experience (before it even started, that is), - because others might find a modicum of help here if they happen to stumble on the same issue, - in order to suggest a check for completeness for building the CD sets, - and maybe someone might want to supply a bit of data I'm still missing, e.g. a CD hash to cross-check. So,
I'm trying to establish a clean and uninterrupted trail of trust (integrity-wise) from Alice the OpenBSD devs to the OpenBSD 5.5 CD set I recently bought in a bookshop in a big german city. This proves surprisingly difficult. I tried to check the CDs in person with one of the devs in that city, but he was not available at that moment (that would have been best solution, a second channel besides all this web machinery), so I tried other venues. The OpenBSD 5.5 web page provides a build key (no idea what kind of format it's in) and the web site strongly recommends checking the CD beforehand (just what I'm trying to do) using the signify tool, but since I have to somehow bootstap OpenBSD, I didn't have that tool nor any other means of verification, e.g. a md5sum, sha256sum or so of the CD is not provided on the website (that would have helped the bootstrapping process). (With hindsight, I could have manually scripted some SHA check for the OpenBSD hash file format.) I found a gpg signed tarball http://www.fefe.de/signify/ from a porter who is publicly known, rather well integrated in the "web of trust" GPG style via public keyservers (a similar chain of keysigning-trust could not be established from Theo to said dev, for instance because their keys are relatively unsigned in comparison) and/but who does not exactly seem to like OpenBSD, a tarball to build signify on linux (so he helps the project anyway), which I got to work after resolving a compiling issue. -lcrypto was missing: /usr/bin/ld: cannot find -lcrypto collect2: error: ld returned 1 exit status make: *** [signify] Fehler 1 but after some research an: $ sudo apt-get install libssl-dev the somewhat incompletely ported signify compiled and I was ready to verify files on the CDs. Most of the files I verified were reassuringly OK, but there was one issue: One file named "SHA" verified "FAILED" because the file listed and hashed in the SHA256.sig of the checked directory is missing on the CD. So now there is some rest of a doubt if the CD is legit or not or if this is a just a minor production error. Maybe this is the best I can hope for for the moment, because the public signing infrastructure in OpenBSD is not yet fully established, and I can live with that. If anybody else wants to verify CD1 of the OpenBSD 5.5 CD set against mine, here are the hashs I got from that CD: $ time dd if=/dev/sr0 | sha256sum 1071464+0 Datensätze ein 1071464+0 Datensätze aus 548589568 Bytes (549 MB) kopiert, 484,533 s, 1,1 MB/s 338c0f72bc55bcf6462c3bf09df88a5c5c0fb4479d12383002b72bd077e90e15 - real 8m4.546s user 0m17.800s sys 0m8.580s $ time dd if=/dev/sr0 | md5sum 1071464+0 Datensätze ein 1071464+0 Datensätze aus faa38e4af64facbb22b372275d042f7a - 548589568 Bytes (549 MB) kopiert, 486,959 s, 1,1 MB/s real 8m7.095s user 0m6.308s sys 0m11.460s Of course, I'd appreciate if anybody from the team could verify these, because the chain of trust from the OpenBSD devs to my CD1 is still not exactly established with strictness. I just checked the i386 part of CD1 with signify so far, the minimum in order to install. So now I'm somewhat excited to install and dive more into that "distro" and discover more of it. Thanks for working so hard! I took a look at the libReSSL comments ... hilarious ! Peer
