On Tue, May 13, 2014 at 06:42:53PM +0000, Alexej wrote: > Greetings gentlemen, > > Downloaded and installed install55.iso, SHA256 was verified successfuly. > > Downloaded firefox-26.0p1.tgz from Canada (Alberta) mirror site along with > SHA256 files. > > /pub/OpenBSD/5.5/packages/amd64/SHA256 > /pub/OpenBSD/5.5/packages/amd64/SHA256.sig > /pub/OpenBSD/5.5/packages/amd64/firefox-26.0p1.tgz > > Then performed a check and got a result: > > Signature Verified > firefox-26.0p1.tgz: FAIL
Yes, it's okay. Don't perform that check. I don't even understand why someone signed SHA256 in the package directory. All packages have embedded signatures, and pkg_add checks them directly. If you're using a 5.5 system, just pkg_add that package. If there's a corruption, pkg_add will tell you. pkg_add from 5.5 *won't* install unsigned packages unless you're using specific options (-Dunsigned).
