Just purchase a CD set (or purchase a couple, every six months, sponsor the project) and take the signify keys from there. They're even printed on the physical CDs themselves.
If your adversary can fake OpenBSD CD sets (in a timely fashion), there's really not much else you can do. Really .. just order a set and stop this silly thread. Paul 'WEiRD' de Weerd On Thu, May 26, 2016 at 11:08:30AM +0000, Stuart Henderson wrote: | On 2016-05-25, Chris Bennett <chrisbenn...@bennettconstruction.us> wrote: | > Get the SHA256.sig from a different server than the install files, after | > all, using just one server could be a problem if it is compromised. | | You can get the SHA256.sig from the *same* server. | | You just need to verify the openbsd-XX-base.pub key before you | point signify -C at it to check the downloaded files. | | In the past people have posted photos of signify keys from CDs, | they're on various list posts, release notes, etc. Doing a web | search for the key that you have should find a number of results. | | Once you have *one* verified signify key, as long as you're not | skipping updates, there is a closed loop. release n's keys are | included in release n-1. | | untrusted comment: openbsd 5.9 base public key | RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn | untrusted comment: OpenBSD 5.9 firmware public key | RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1 | untrusted comment: OpenBSD 5.9 packages public key | RWSLRYDCTJeWLIScncqwGuXK6JVXDcIyRT0q+0m30MXXG4W2xWS4NZBP | | untrusted comment: openbsd 6.0 base public key | RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 | untrusted comment: OpenBSD 6.0 firmware public key | RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo | untrusted comment: OpenBSD 6.0 packages public key | RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey | | untrusted comment: openbsd 6.1 base public key | RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa | untrusted comment: OpenBSD 6.1 firmware public key | RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY | untrusted comment: OpenBSD 6.1 packages public key | RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov | | > And face the reality of things: | > | > 1. The small bad guys. They can put up compromised install files and sig | > files. They laugh at the damage the did to you. Jajaja. | | One verified signify key fixes this. | | > 2. The worse bad guys. Your actual network from your ISP is compromised | > and you get compromised data. Period. | | One verified signify key fixes this. | | ("small" and "worse" are difficult words here.). | | > 3. The worst bad guys. The ones you have no protection against under any | > circumstances. These are the people who have physical access to your | > computer. The manufacturers. They can install compromised chips to the | > motherboard, etc. | | You're pretty much screwed in this case. | -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/