Thank you both. That worked. Ubuntu already had a package named signify so, with all 3 files in the $PWD, the correct command is:
signify-openbsd -C -p openbsd-62-base.pub -x SHA256.sig install62.iso Possibly part of the problem is that the Ubuntu package signify-openbsd-keys does NOT put anything in /etc but puts the keys in /usr/share/signify-openbsd-keys/ & that it doesn't have anything later than 59. I may try downloading 59 just to see if it works more intuitively. Re "how can you be sure that your copy of /etc/signify/openbsd-62-base.pub is legitimate?": AFAIK, that is the same issue as with a gpg public key, & the best answer, using only the internet, is to find copies in multiple places on different sites, and determine that they are the same. I think the only way to be good at paranoia is to practice it ;-), so I'm trying to do tht now. If nothing else, it's a good logic puzzle. .................................... Because if we allow the Constitution to become a "literary fiction" future generations will rightfully view us with contempt as shallow, posing slackers, this is: Sent with ProtonMail Secure Email. -------- Original Message -------- On February 9, 2018 5:50 PM, Kenneth Gober wrote: >On Fri, Feb 9, 2018 at 4:44 PM, Kevin Chadwick m8il1i...@gmail.com wrote: >>On Fri, 09 Feb 2018 16:11:01 -0500 >>>but I can't for the life of me figure out how to cryptographically >>> verify the legitimacy of install62.iso with SHA256.sig. >>>I've never done it on linux however try >>signify -C -p /etc/signify/openbsd-62-base.pub -x SHA256.sig >>https://man.openbsd.org/signify >> > The next question of course will be, how can you be sure that your > copy of /etc/signify/openbsd-62-base.pub is legitimate? Someone could > have tampered with that file as easily as they could have tampered > with SHA256.sig. > > You can go to https://www.openbsd.org/62.html to get the 6.2 signify > keys, but how sure can you be that the site hasn't been compromised? > Or that the site you see in your browser is even the real one? At > some point you need to convince yourself that you have a good key. > The keys have been published in various places, and the last several > CD releases (from 5.5 or so until CD distribution stopped) had the > signify keys actually printed on the CD labels. Each release of > OpenBSD includes keys for the next release, so once you have a key you > trust you can use that to verify that version, then use the key in > that version to verify the next version, and so on. > > This paper provides some good background about why signify rather than > https or gpg: > >http://www.openbsd.org/papers/bsdcan-signify.html > > -ken >
