> On Jan 19, 2014, at 8:47, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > > I suspect only a few have noticed, so it probably should be mentioned > that install/upgrades are also signed now. > > The documentation isn't written yet because change is ongoing. Here > is a rough primer, for one or two usage cases. More install methods > will work, but some are not perfect yet. > > As detailed in the new signify(1) manual page, if you download bsd.rd > you can: > > Verify a bsd.rd before an upgrade: > $ signify -V -e -p /etc/signify/55base.pub -x SHA256.sig -m - | \ > sha256 -C - bsd.rd
Starting with a 5.5 beta installed late last week. sha256 -C gives me "unknown option" Without it the above works perfectly. The rest of the install goes as expected. > > The same can be done with cd55.iso or install55.iso, of course. > > If this is OK, you can boot that bsd.rd (OK, you are trusting your > pre-existing bootblocks, though you could verify new ones). > > When you install or upgrade from the net, it will use the SHA256.sig > file first, verify it using signify, then collect the base sets and > compare them against the SHA256 hashes. They are all downloaded to a > spare place on the disk, and then extracted. This change also makes > upgrades more "atomic". > > There are a few raw edges still, but we would appreciate if this is > tried by a few people.. please give us feedback. > > This mechanism was designed by Ted Unangst; a few pieces here and > there by Todd Fries and myself; the bulk of the install script changes > by Alexander Hall and Robert Peichaer. >