On 2016-05-25, Chris Bennett <chrisbenn...@bennettconstruction.us> wrote: > Get the SHA256.sig from a different server than the install files, after > all, using just one server could be a problem if it is compromised.
You can get the SHA256.sig from the *same* server. You just need to verify the openbsd-XX-base.pub key before you point signify -C at it to check the downloaded files. In the past people have posted photos of signify keys from CDs, they're on various list posts, release notes, etc. Doing a web search for the key that you have should find a number of results. Once you have *one* verified signify key, as long as you're not skipping updates, there is a closed loop. release n's keys are included in release n-1. untrusted comment: openbsd 5.9 base public key RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn untrusted comment: OpenBSD 5.9 firmware public key RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1 untrusted comment: OpenBSD 5.9 packages public key RWSLRYDCTJeWLIScncqwGuXK6JVXDcIyRT0q+0m30MXXG4W2xWS4NZBP untrusted comment: openbsd 6.0 base public key RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 untrusted comment: OpenBSD 6.0 firmware public key RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo untrusted comment: OpenBSD 6.0 packages public key RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey untrusted comment: openbsd 6.1 base public key RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa untrusted comment: OpenBSD 6.1 firmware public key RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY untrusted comment: OpenBSD 6.1 packages public key RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov > And face the reality of things: > > 1. The small bad guys. They can put up compromised install files and sig > files. They laugh at the damage the did to you. Jajaja. One verified signify key fixes this. > 2. The worse bad guys. Your actual network from your ISP is compromised > and you get compromised data. Period. One verified signify key fixes this. ("small" and "worse" are difficult words here.). > 3. The worst bad guys. The ones you have no protection against under any > circumstances. These are the people who have physical access to your > computer. The manufacturers. They can install compromised chips to the > motherboard, etc. You're pretty much screwed in this case.