I found a couple of threads related to signing the siteXX.tgz install files, and was wondering what the future (5.6) of this might look like.
If I understand the present (5.5) situtation correctly, if site*.tgz are created & distributed, you have to trust your own files & method of distribution. Theo wrote (in part): ... signify only works for the signed base sets. site*.tgz is now a pretty serious outlier. .... https://www.mail-archive.com/misc@openbsd.org/msg127738.html Nick wrote (in part): It "works" exactly as intended: your siteXX.tgz file is something YOU generated, OpenBSD has no idea what's in it. If you can't trust your siteXX.tgz file and how it gets from you to you, you have much bigger problems that signing isn't going to fix. http://mailing.openbsd.misc.narkive.com/M1bFETMA/signing-release-files
