On Tue, 20 Feb 2018 18:45:01 +0100 Stefan Sperling <s...@stsp.name> wrote:
> > I download SHA256.sig abd file sets from mirror, how can I trust it? > > You run a trusted signify binary, which was not obtained from the > mirror but is part of your existing install, to check the signature > on SHA256.sig. I know this is a little bit farfetched, pardon my ignorence, but OpenBSD seeems vulnerable on first installation. In case of DNS poisoning, what can stop a virus from forwarding the installer to a false SHA256.sig and false repository? My guess would be to use DNSSEC and a local copy of an OpenBSD repository to avoid such issue. Also I still don't understand the logic of not embedding SHA256.sig in the ISO. A SHA256.sig exists, why NOT use it? Best regards,
