I suspect only a few have noticed, so it probably should be mentioned
that install/upgrades are also signed now.
The documentation isn't written yet because change is ongoing. Here
is a rough primer, for one or two usage cases. More install methods
will work, but some are not perfect yet.
As detailed in the new signify(1) manual page, if you download bsd.rd
you can:
Verify a bsd.rd before an upgrade:
$ signify -V -e -p /etc/signify/55base.pub -x SHA256.sig -m - | \
sha256 -C - bsd.rd
The same can be done with cd55.iso or install55.iso, of course.
If this is OK, you can boot that bsd.rd (OK, you are trusting your
pre-existing bootblocks, though you could verify new ones).
When you install or upgrade from the net, it will use the SHA256.sig
file first, verify it using signify, then collect the base sets and
compare them against the SHA256 hashes. They are all downloaded to a
spare place on the disk, and then extracted. This change also makes
upgrades more "atomic".
There are a few raw edges still, but we would appreciate if this is
tried by a few people.. please give us feedback.
This mechanism was designed by Ted Unangst; a few pieces here and
there by Todd Fries and myself; the bulk of the install script changes
by Alexander Hall and Robert Peichaer.
