On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick <m8il1i...@gmail.com> wrote: > On Fri, 09 Feb 2018 16:11:01 -0500 >> but I can't for the life of me figure out how to cryptographically >> verify the legitimacy of install62.iso with SHA256.sig. > > I've never done it on linux however try > > signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig > > https://man.openbsd.org/signify
The next question of course will be, how can you be sure that your copy of /etc/signify/openbsd-62-base.pub is legitimate? Someone could have tampered with that file as easily as they could have tampered with SHA256.sig. You can go to https://www.openbsd.org/62.html to get the 6.2 signify keys, but how sure can you be that the site hasn't been compromised? Or that the site you see in your browser is even the real one? At some point you need to convince yourself that you have a good key. The keys have been published in various places, and the last several CD releases (from 5.5 or so until CD distribution stopped) had the signify keys actually printed on the CD labels. Each release of OpenBSD includes keys for the next release, so once you have a key you trust you can use that to verify that version, then use the key in that version to verify the next version, and so on. This paper provides some good background about why signify rather than https or gpg: http://www.openbsd.org/papers/bsdcan-signify.html -ken
