On 2022/12/09 07:19, Andreas Ehlert wrote: > hello openbsd folks, > > thanks a lot for your os. > i have an issue for your interest. > > the install image install72.img have an failure. > the installation routine can not find the sha256.sig > file to check the base files with checksum. > > i take a look on the usb stick and i found the sha256 > under 7.2/amd64 but not sha256.sig > > the installation is only possible without verification of the base files. > > i think this is a security issue for a fresh 7.2 installation.
If you have booted the USB stick, it is already too late to check the crypto-signature; if it was a dodgy malicious file then it could have already done damage. And the sha256 signature is good enough to detect bad imaging. If you have an existing OpenBSD installation, you can use signify to verify the downloaded image. If it is an installation of 7.1, you already have the 7.2 keys available. If not, you can either upgrade release by release to 7.2 (each release having the keys for the subsequent release, maintainging the chain of authenticity), or copy the public key for the signature from https://www.openbsd.org/72.html. If you don't have an existing OpenBSD installation, you can alternatively use minisign to verify the download. It's packaged in some OS, or fetch it from https://jedisct1.github.io/minisign/ > when i make a wish. i wish peace, love and unity for the human race and a > installation routine with checksum verification of the base files. eh, diversity is good too
