On 06/16/14 15:56, Jiri B wrote:
On Sun, Jun 15, 2014 at 05:09:20PM -0400, Ted Unangst wrote:
On Sun, Jun 15, 2014 at 14:12, Aaron Gomez wrote:
I looked at the signify command but I can't figure out how to check all
the files and then create the SHA256.sig.
I tried "signify -S -s myprivatekey.sec -m SHA256 -x SHA256.sig" but
that just created a file SHA256.sig with the following contents:
untrusted comment: signature from signify secret key
RWQ/YLxjYycyl9yO0Qz8OyKSG9NnreWqIqIvMrJ64hJ2XqsXcElZB8BW8h/tGfvR44cRyAlIk10pUntzg9R0Z1p5+e+1tHFzkAs=
You need the -e flag to embed the message into the signature.
I then ran sha256 against all of the files and copied the output to the
SHA256.sig file, created a new install cd and tried again. This time it
failed telling me that I used the incorrect key.
The main problem is that the CD will attempt to verify against a key
named openbsd-55-base.pub, which we ship. That's not going to match
the private key you generated and are using.
What do I need to do to make it so the installer can verify my newly
created release files?
The best approach, but it's more work, would be to change install.sh
to look for a key like aaron-55-base.pub and add that to the ramdisk.
The shortcut would be to replace the openbsd key, but that will only
cause confusion later, so I'd try not to.
That said, you probably don't need to sign releases you're building
for yourself, unless they are travelling over untrusted links. We sign
releases because they go from OpenBSD servers to you over the scary
internet. If you control distribution, that's less scary.
Wouldn't something like below make life easier?
[diff to easily allow different keys]
I think focus has been lost.
What's the point of signing releases? To say "This came from the
OpenBSD project".
Why? To make sure your release is a pure, untampered with version.
Signed releases is not a goal, the goal is an install that is trusted by
the installer (you). Signed releases are a way to help reach that goal.
Don't forget that.
IF your release is from the OpenBSD project, the signing should work
fine. If your release is from some other souce...I WANT an alert saying
"This is not signed by OpenBSD"! I don't want to squish the alert. It
isn't there to hit a checkbox "Code signed by someone".
If your use is such that you DO want to certify that YOU created the
files in question, that's great, ok, you have got a great "mini-fork" --
you can easily build your own release with your own keys and manage them
appropriately, but a knob to get around the very point of release file
signing is not really what I want to see.
Nick.
