I suspect only a few have noticed, so it probably should be mentioned that install/upgrades are also signed now.
The documentation isn't written yet because change is ongoing. Here is a rough primer, for one or two usage cases. More install methods will work, but some are not perfect yet. As detailed in the new signify(1) manual page, if you download bsd.rd you can: Verify a bsd.rd before an upgrade: $ signify -V -e -p /etc/signify/55base.pub -x SHA256.sig -m - | \ sha256 -C - bsd.rd The same can be done with cd55.iso or install55.iso, of course. If this is OK, you can boot that bsd.rd (OK, you are trusting your pre-existing bootblocks, though you could verify new ones). When you install or upgrade from the net, it will use the SHA256.sig file first, verify it using signify, then collect the base sets and compare them against the SHA256 hashes. They are all downloaded to a spare place on the disk, and then extracted. This change also makes upgrades more "atomic". There are a few raw edges still, but we would appreciate if this is tried by a few people.. please give us feedback. This mechanism was designed by Ted Unangst; a few pieces here and there by Todd Fries and myself; the bulk of the install script changes by Alexander Hall and Robert Peichaer.