On Tue, Feb 20, 2018 at 12:59:08PM +0100, Theo Buehler wrote: > On Tue, Feb 20, 2018 at 12:56:06PM +0100, Nicolas Schmidt wrote: > > Hi, > > > > I am finally getting around to upgrading 6.1->6.2. When I try to install > > from CD using the install62.iso image, the install script complains that it > > can't find SHA256.sig (indeed, it's on it). > > > > Is that supposed to happen? > > Yes. The last paragraph from > https://www.openbsd.org/faq/faq4.html#Download says: > > The installXX.iso and installXX.fs images do not contain an SHA256.sig > file, and the installer will complain that it can't check the > signatures. It is not possible for the installer to verify the sets with > these images. After all, if someone were to make a rogue installXX.iso > file, they could certainly change the installer to say the files were > legitimate. Thus, you must verify those installer downloads separately. >
Isn't the same true when I download file sets from any mirror? After all I download SHA256.sig abd file sets from mirror, how can I trust it?
