Re: Impossibility of cryptographic verification of downloads

Thu, 26 May 2016 04:25:22 -0700 

On 2016-05-25, Chris Bennett <chrisbenn...@bennettconstruction.us> wrote:
> Get the SHA256.sig from a different server than the install files, after
> all, using just one server could be a problem if it is compromised.

You can get the SHA256.sig from the *same* server.

You just need to verify the openbsd-XX-base.pub key before you
point signify -C at it to check the downloaded files.

In the past people have posted photos of signify keys from CDs,
they're on various list posts, release notes, etc. Doing a web
search for the key that you have should find a number of results.

Once you have *one* verified signify key, as long as you're not
skipping updates, there is a closed loop. release n's keys are
included in release n-1.

untrusted comment: openbsd 5.9 base public key
RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn
untrusted comment: OpenBSD 5.9 firmware public key
RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1
untrusted comment: OpenBSD 5.9 packages public key
RWSLRYDCTJeWLIScncqwGuXK6JVXDcIyRT0q+0m30MXXG4W2xWS4NZBP

untrusted comment: openbsd 6.0 base public key
RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
untrusted comment: OpenBSD 6.0 firmware public key
RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo
untrusted comment: OpenBSD 6.0 packages public key
RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey

untrusted comment: openbsd 6.1 base public key
RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
untrusted comment: OpenBSD 6.1 firmware public key
RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
untrusted comment: OpenBSD 6.1 packages public key
RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov

> And face the reality of things:
>
> 1. The small bad guys. They can put up compromised install files and sig
> files. They laugh at the damage the did to you. Jajaja.

One verified signify key fixes this.

> 2. The worse bad guys. Your actual network from your ISP is compromised
> and you get compromised data. Period.

One verified signify key fixes this.

("small" and "worse" are difficult words here.).

> 3. The worst bad guys. The ones you have no protection against under any
> circumstances. These are the people who have physical access to your
> computer. The manufacturers. They can install compromised chips to the
> motherboard, etc.

You're pretty much screwed in this case.

Reply via email to