On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote: > >One suggestion/request, to make it even harder for the man-in-the-middle > >attack to be successfully employed, could the current checksums be posted in > >the announcement of the new version? > > http://www.openbsd.org/55.html > > signify(1) pubkeys for this release: > base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h > fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO > pkg: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 > > For the upcoming 5.6 release (few months yet), the keys are already > included in your 5.5 install, or you can find them in your /etc/signify > directory. Or, check http://www.openbsd.org/56.html (warning: > incomplete) > > signify(1) pubkeys for this release: > base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV > fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw > pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb > > In fact the snapshots available since about a month ago already include > the public keys for the 5.7 release next May.... >
Now checkout the keys in /src/etc/signify/ from cvs over ssh, check that the fingerprint of the cvs server matches what is on the website (and/or in the various caches), and compare the keys match what was posted. And as mailing list posts are mirrored on many archive sites, compare that the various archives agree with what keys were posted. And once you have a 5.5 that you're confident is legitimate, every subsequent release can be verified using the keys from it, and you will have a chain of trust.
