Just purchase a CD set (or purchase a couple, every six months,
sponsor the project) and take the signify keys from there. They're
even printed on the physical CDs themselves.
If your adversary can fake OpenBSD CD sets (in a timely fashion),
there's really not much else you can do.
Really .. just order a set and stop this silly thread.
Paul 'WEiRD' de Weerd
On Thu, May 26, 2016 at 11:08:30AM +0000, Stuart Henderson wrote:
| On 2016-05-25, Chris Bennett <chrisbenn...@bennettconstruction.us> wrote:
| > Get the SHA256.sig from a different server than the install files, after
| > all, using just one server could be a problem if it is compromised.
|
| You can get the SHA256.sig from the *same* server.
|
| You just need to verify the openbsd-XX-base.pub key before you
| point signify -C at it to check the downloaded files.
|
| In the past people have posted photos of signify keys from CDs,
| they're on various list posts, release notes, etc. Doing a web
| search for the key that you have should find a number of results.
|
| Once you have *one* verified signify key, as long as you're not
| skipping updates, there is a closed loop. release n's keys are
| included in release n-1.
|
| untrusted comment: openbsd 5.9 base public key
| RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn
| untrusted comment: OpenBSD 5.9 firmware public key
| RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1
| untrusted comment: OpenBSD 5.9 packages public key
| RWSLRYDCTJeWLIScncqwGuXK6JVXDcIyRT0q+0m30MXXG4W2xWS4NZBP
|
| untrusted comment: openbsd 6.0 base public key
| RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
| untrusted comment: OpenBSD 6.0 firmware public key
| RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo
| untrusted comment: OpenBSD 6.0 packages public key
| RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey
|
| untrusted comment: openbsd 6.1 base public key
| RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
| untrusted comment: OpenBSD 6.1 firmware public key
| RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
| untrusted comment: OpenBSD 6.1 packages public key
| RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
|
| > And face the reality of things:
| >
| > 1. The small bad guys. They can put up compromised install files and sig
| > files. They laugh at the damage the did to you. Jajaja.
|
| One verified signify key fixes this.
|
| > 2. The worse bad guys. Your actual network from your ISP is compromised
| > and you get compromised data. Period.
|
| One verified signify key fixes this.
|
| ("small" and "worse" are difficult words here.).
|
| > 3. The worst bad guys. The ones you have no protection against under any
| > circumstances. These are the people who have physical access to your
| > computer. The manufacturers. They can install compromised chips to the
| > motherboard, etc.
|
| You're pretty much screwed in this case.
|
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
