Bryan Steele writes: > https://www.openbsd.org/faq/faq4.html#Download > > > The install72.iso and install72.img images do not contain an SHA256.sig > > file, so the installer will complain that it can't check the signature > > of the included sets: > > > > Directory does not contain SHA256.sig. Continue without verification? [no] > > > > This is because it would make no sense for the installer to verify them. > > If someone were to make a rogue installation image, they could certainly > > change the installer to say the files were legitimate.
Or they could just remove the check entirely. If you're not verifying the software that you run on your "raw" pre-operating-system processor, you're hardly going to verify the output from the installer to check that the right questions were asked and answered. Assuming you even know it's there. In a system now controlled by an attacker. How long has it been since this came up last? It seems like an interesting metric suggesting how readily the documentation (and source) is found and read. Have you considered SEO? <trollface/> Matthew
